nss-pam-ldapd package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/nslcd.init

@@ -0,0 +1,86 @@
+#!/bin/sh
+#
+# chkconfig: - 12 88 
+# description: Provides naming services using a directory server.
+# processname: /usr/sbin/nslcd
+# config: /etc/nslcd.conf
+# pidfile: /var/run/nslcd/nslcd.pid
+#
+
+### BEGIN INIT INFO
+# Provides: nslcd
+# Required-Start: $network
+# Required-Stop:
+# Default-Start:
+# Default-Stop:
+# Short-Description: naming services LDAP client daemon
+# Description: Provides naming services using a directory server.
+### END INIT INFO
+
+program=/usr/sbin/nslcd
+prog=${program##*/}
+pidfile=/var/run/nslcd/nslcd.pid
+
+if [ -f /etc/rc.d/init.d/functions ]; then
+	. /etc/rc.d/init.d/functions
+fi
+
+RETVAL=0
+
+start() {
+    echo -n $"Starting $prog: "
+    daemon $program
+    RETVAL=$?
+    echo
+    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
+    return $RETVAL
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc $program
+    RETVAL=$?
+    echo
+    if [ $RETVAL -eq 0 ]; then
+	rm -f /var/lock/subsys/$prog
+    fi
+}
+
+restart() {
+    stop
+    start
+}
+
+# See how we were called.
+case "$1" in
+    start)
+        [ -f /var/lock/subsys/$prog ] && exit 0
+        $1
+        ;;
+    stop)
+        [ -f /var/lock/subsys/$prog ] || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    status)
+        status -p $pidfile $program
+        RETVAL=$?
+        ;;
+    condrestart|try-restart)
+        [ -f /var/lock/subsys/$prog ] && restart || :
+        ;;
+    reload)
+        echo "can't reload configuration, you have to restart it"
+        RETVAL=3
+        ;;
+    force-reload)
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 1
+        ;;
+esac
+exit $RETVAL

SOURCES/nslcd.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Naming services LDAP client daemon.
+After=syslog.target network.target named.service dirsrv.target slapd.service
+Documentation=man:nslcd(8) man:nslcd.conf(5)
+
+[Service]
+Type=forking
+PIDFile=/var/run/nslcd/nslcd.pid
+ExecStart=/usr/sbin/nslcd
+RestartSec=10s
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

SOURCES/nslcd.tmpfiles

@@ -0,0 +1,2 @@
+# nslcd needs a directory in /var/run to store its pid file and socket
+d /var/run/nslcd 0755 nslcd root

SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch

@@ -0,0 +1,30 @@
+From ec2ac2cc7eaa945f3d07d2528ddd4b8d9b8d38e1 Mon Sep 17 00:00:00 2001
+From: Arthur de Jong <arthur@arthurdejong.org>
+Date: Sun, 6 Oct 2013 14:14:39 +0000
+Subject: [PATCH 3/3] in nslcd, log EPIPE only on debug level (4897033 from
+ 0.9)
+
+git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2032 ef36b2f9-881f-0410-afb5-c4e39611909c
+---
+ nslcd/common.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/nslcd/common.h b/nslcd/common.h
+index 736d7c09c9cd6d333fc4caa0a15144cc83eb9ecd..c48decb58df5262f459e0862f677960c31e20df7 100644
+--- a/nslcd/common.h
++++ b/nslcd/common.h
+@@ -43,7 +43,10 @@
+    stream */
+ 
+ #define ERROR_OUT_WRITEERROR(fp) \
+-  log_log(LOG_WARNING,"error writing to client: %s",strerror(errno)); \
++  if (errno==EPIPE) \
++   log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \
++  else \
++   log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \
+   return -1;
+ 
+ #define ERROR_OUT_READERROR(fp) \
+-- 
+1.8.3.1
+

SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch

@@ -0,0 +1,111 @@
+From 335f7e085b45556276d2c1f224648a7eed28e4fd Mon Sep 17 00:00:00 2001
+From: Arthur de Jong <arthur@arthurdejong.org>
+Date: Sun, 6 Oct 2013 14:11:51 +0000
+Subject: [PATCH 2/3] use a timeout when skipping remaining result data
+ (c9e2f97 from 0.9)
+
+git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2031 ef36b2f9-881f-0410-afb5-c4e39611909c
+---
+ common/tio.c |  6 +++---
+ common/tio.h |  4 ++--
+ nss/common.h | 10 +++++++---
+ 3 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/common/tio.c b/common/tio.c
+index 9aef80ca91faedad8f75e09b9070d22ed4a0878d..780ea38f175482dfed5e1c754ef75e93ffd83768 100644
+--- a/common/tio.c
++++ b/common/tio.c
+@@ -2,7 +2,7 @@
+    tio.c - timed io functions
+    This file is part of the nss-pam-ldapd library.
+ 
+-   Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong
++   Copyright (C) 2007, 2008, 2010, 2011, 2012, 2013 Arthur de Jong
+ 
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+@@ -298,7 +298,7 @@ int tio_skip(TFILE *fp, size_t count)
+ }
+ 
+ /* Read all available data from the stream and empty the read buffer. */
+-int tio_skipall(TFILE *fp)
++int tio_skipall(TFILE *fp,int skiptimeout)
+ {
+   struct pollfd fds[1];
+   int rv;
+@@ -318,7 +318,7 @@ int tio_skipall(TFILE *fp)
+     /* see if any data is available */
+     fds[0].fd=fp->fd;
+     fds[0].events=POLLIN;
+-    rv=poll(fds,1,0);
++    rv=poll(fds,1,skiptimeout);
+     /* check the poll() result */
+     if (rv==0)
+       return 0; /* no file descriptor ready */
+diff --git a/common/tio.h b/common/tio.h
+index cd3f370732e4c54815187bb8012fd5a5ff8972af..b38d458aedd660ff95ff2e57f9df790ffd51ff6d 100644
+--- a/common/tio.h
++++ b/common/tio.h
+@@ -2,7 +2,7 @@
+    tio.h - timed io functions
+    This file is part of the nss-pam-ldapd library.
+ 
+-   Copyright (C) 2007, 2008, 2010, 2012 Arthur de Jong
++   Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong
+ 
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+@@ -59,7 +59,7 @@ int tio_read(TFILE *fp,void *buf,size_t count);
+ int tio_skip(TFILE *fp,size_t count);
+ 
+ /* Read all available data from the stream and empty the read buffer. */
+-int tio_skipall(TFILE *fp);
++int tio_skipall(TFILE *fp,int skiptimeout);
+ 
+ /* Write the specified buffer to the stream. */
+ int tio_write(TFILE *fp,const void *buf,size_t count);
+diff --git a/nss/common.h b/nss/common.h
+index e8d8e0526499c252f69a558384ddae8504009d26..3f93a4fb4704092dd5b1a41b024d33abf59cba60 100644
+--- a/nss/common.h
++++ b/nss/common.h
+@@ -2,7 +2,7 @@
+    common.h - common functions for NSS lookups
+ 
+    Copyright (C) 2006 West Consulting
+-   Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
++   Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong
+ 
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+@@ -35,6 +35,10 @@
+ #include "solnss.h"
+ #endif /* NSS_FLAVOUR_SOLARIS */
+ 
++/* skip timeout determines the maximum time to wait when closing the
++   connection and reading whatever data that is available */
++#define SKIP_TIMEOUT 500
++
+ /* These are macros for handling read and write problems, they are
+    NSS specific due to the return code so are defined here. They
+    genrally close the open file, set an error code and return with
+@@ -127,7 +131,7 @@
+   /* close socket and we're done */ \
+   if ((retv==NSS_STATUS_SUCCESS)||(retv==NSS_STATUS_TRYAGAIN)) \
+   { \
+-    (void)tio_skipall(fp); \
++    (void)tio_skipall(fp,SKIP_TIMEOUT); \
+     (void)tio_close(fp); \
+   } \
+   return retv;
+@@ -203,7 +207,7 @@
+   NSS_AVAILCHECK; \
+   if (fp!=NULL) \
+   { \
+-    (void)tio_skipall(fp); \
++    (void)tio_skipall(fp,SKIP_TIMEOUT); \
+     (void)tio_close(fp); \
+     fp=NULL; \
+   } \
+-- 
+1.8.3.1
+

SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch

@@ -0,0 +1,39 @@
+From 841dd859360ff07d705e869d2a402f6b181a14f9 Mon Sep 17 00:00:00 2001
+From: Arthur de Jong <arthur@arthurdejong.org>
+Date: Sun, 1 Sep 2013 09:47:18 +0000
+Subject: [PATCH 1/3] fix buffer overflow on interrupted read (thanks John
+ Sullivan) (07a8170 from 0.9)
+
+git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2029 ef36b2f9-881f-0410-afb5-c4e39611909c
+---
+ AUTHORS      | 1 +
+ common/tio.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 5debe5f7c2a059e67f47098df8647c66eab85c13..65ee0789cb8c300c59f7b00b75e80b5b51d96ac9 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -119,3 +119,4 @@ Maxim Vetrov <muxas@mail.ru>
+ Matthew L. Dailey <matthew.l.dailey@dartmouth.edu>
+ Chris Hiestand <chiestand@salk.edu>
+ Jon Severinsson <jon@severinsson.net>
++John Sullivan <jsrhbz@kanargh.force9.co.uk>
+diff --git a/common/tio.c b/common/tio.c
+index 4456198fe84ea72966edb06700c0fff751dd3451..9aef80ca91faedad8f75e09b9070d22ed4a0878d 100644
+--- a/common/tio.c
++++ b/common/tio.c
+@@ -283,8 +283,8 @@ int tio_read(TFILE *fp, void *buf, size_t count)
+     }
+     else if ((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN))
+       return -1; /* something went wrong with the read */
+-    /* skip the read part in the buffer */
+-    fp->readbuffer.len=rv;
++    else if (rv>0)
++      fp->readbuffer.len=rv; /* skip the read part in the buffer */
+ #ifdef DEBUG_TIO_STATS
+     fp->bytesread+=rv;
+ #endif /* DEBUG_TIO_STATS */
+-- 
+1.8.3.1
+

SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch

@@ -0,0 +1,12 @@
+diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp nss-pam-ldapd-0.8.13/nslcd/pam.c
+--- nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp	2017-10-23 21:18:19.867943857 +0200
++++ nss-pam-ldapd-0.8.13/nslcd/pam.c	2017-10-23 21:18:35.935986527 +0200
+@@ -133,7 +133,7 @@ static void update_username(MYLDAP_ENTRY
+     return;
+   }
+   /* check if the username is different and update it if needed */
+-  if (strcmp(username,value)!=0)
++  if (STR_CMP(username,value)!=0)
+   {
+     log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value);
+     strcpy(username,value);

SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch

@@ -0,0 +1,77 @@
+Always use a function that we know will catch out-of-range values for UIDs and
+GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't
+produce a result that'll silently be truncated if we store the result in a
+uid_t or gid_t.
+--- nss-pam-ldapd/nslcd/common.c
++++ nss-pam-ldapd/nslcd/common.c
+@@ -273,19 +273,23 @@ long int binsid2id(const char *binsid)
+          ((((long int)binsid[i+2])&0xff)<<16)|((((long int)binsid[i+3])&0xff)<<24);
+ }
+ 
+-#ifdef WANT_STRTOUI
+-/* provide a strtoui() implementation, similar to strtoul() but returning
++/* provide a strtoid() implementation, similar to strtoul() but returning
+    an range-checked unsigned int instead */
+-unsigned int strtoui(const char *nptr,char **endptr,int base)
++unsigned int strtoid(const char *nptr,char **endptr,int base)
+ {
+-  unsigned long val;
+-  val=strtoul(nptr,endptr,base);
+-  if (val>UINT_MAX)
++  long long val;
++  /* use the fact that long long is 64-bit, even on 32-bit systems */
++  val=strtoll(nptr,endptr,base);
++  if (val>UINT32_MAX)
+   {
+     errno=ERANGE;
+-    return UINT_MAX;
++    return UINT32_MAX;
+   }
+-  /* If errno was set by strtoul, we'll pass it back as-is */
+-  return (unsigned int)val;
++  else if (val < 0)
++  {
++    errno=EINVAL;
++    return UINT32_MAX;
++  }
++  /* If errno was set, we'll pass it back as-is */
++  return (uint32_t)val;
+ }
+-#endif /* WANT_STRTOUI */
+--- nss-pam-ldapd/nslcd/common.h
++++ nss-pam-ldapd/nslcd/common.h
+@@ -139,31 +139,9 @@ int nsswitch_db_uses_ldap(const char *fi
+ #endif /* _POSIX_HOST_NAME_MAX */
+ #endif /* not HOST_NAME_MAX */
+ 
+-/* provide strtouid() function alias */
+-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT
+-#define strtouid (uid_t)strtoul
+-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+-#define strtouid (uid_t)strtoull
+-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT
+-#define WANT_STRTOUI 1
+-#define strtouid (uid_t)strtoui
+-#else
+-#error unable to find implementation for strtouid()
+-#endif
+-
+-/* provide strtouid() function alias */
+-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT
+-#define strtogid (gid_t)strtoul
+-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
+-#define strtogid (gid_t)strtoull
+-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT
+-#ifndef WANT_STRTOUI
+-#define WANT_STRTOUI 1
+-#endif
+-#define strtogid (uid_t)strtoui
+-#else
+-#error unable to find implementation for strtogid()
+-#endif
++uint32_t strtoid(const char *nptr,char **endptr,int base);
++#define strtouid (uid_t)strtoid
++#define strtogid (gid_t)strtoid
+ 
+ #ifdef WANT_STRTOUI
+ /* provide a strtoui() if it is needed */

SOURCES/nss-pam-ldapd-0.8.12-validname.patch

@@ -0,0 +1,36 @@
+Defaults changed to allow opening and closing parentheses everywhere.  Defaults
+changed again to make characters after the first optional, and again to go back
+to disallowing names which end with "\".
+--- man/nslcd.conf.5.xml
++++ man/nslcd.conf.5.xml
+@@ -712,7 +712,7 @@
+        characters and the 'i' flag may be appended at the end to indicate
+        that the match should be case-insensetive.
+        The default value is
+-       <literal>/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i</literal>
++       <literal>/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i</literal>
+       </para>
+      </listitem>
+     </varlistentry>
+--- nslcd/cfg.c
++++ nslcd/cfg.c
+@@ -134,7 +134,7 @@ static void cfg_defaults(struct ldap_con
+     cfg->ldc_pam_authz_search[i]=NULL;
+   cfg->ldc_nss_min_uid=0;
+   parse_validnames_statement(__FILE__,__LINE__,"",
+-                "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg);
++                "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg);
+   cfg->pam_password_prohibit_message=NULL;
+ }
+ 
+--- tests/test_common.c
++++ tests/test_common.c
+@@ -39,6 +39,8 @@ static void test_isvalidname(void)
+   assert(!isvalidname("\\foo\\bar"));
+   assert(!isvalidname("foo\\bar\\"));
+   assert(isvalidname("me")); /* try short name */
++  assert(isvalidname("f"));
++  assert(isvalidname("(foo bar)"));
+ }
+ 
+ /* the main program... */

SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch

@@ -0,0 +1,46 @@
+From e34fccc883e1fb6e7c0e1663e11ff9f96191971f Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Mon, 27 Jan 2014 17:04:32 +0100
+Subject: [PATCH 1/2] Fix use after free in read_hostent and read_netent.
+
+if NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
+read_one_netent function tio_skipall will be called with NULL pointer
+It could happend in functions:
+	 _nss_ldap_getnetbyname_r
+	_nss_ldap_getnetbyaddr_r
+	_nss_ldap_gethostbyname2_r
+	_nss_ldap_gethostbyaddr_r
+---
+ nss/hosts.c    | 2 --
+ nss/networks.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/nss/hosts.c b/nss/hosts.c
+index 86b6a77..0e7027e 100644
+--- a/nss/hosts.c
++++ b/nss/hosts.c
+@@ -51,8 +51,6 @@
+ 
+ #undef ERROR_OUT_BUFERROR
+ #define ERROR_OUT_BUFERROR(fp) \
+-  (void)tio_close(fp); \
+-  fp=NULL; \
+   *errnop=ERANGE; \
+   *h_errnop=TRY_AGAIN; \
+   return NSS_STATUS_TRYAGAIN;
+diff --git a/nss/networks.c b/nss/networks.c
+index 859ef0e..1403b45 100644
+--- a/nss/networks.c
++++ b/nss/networks.c
+@@ -51,8 +51,6 @@
+ 
+ #undef ERROR_OUT_BUFERROR
+ #define ERROR_OUT_BUFERROR(fp) \
+-  (void)tio_close(fp); \
+-  fp=NULL; \
+   *errnop=ERANGE; \
+   *h_errnop=TRY_AGAIN; \
+   return NSS_STATUS_TRYAGAIN;
+-- 
+1.8.5.3
+

SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch

@@ -0,0 +1,41 @@
+From ec86b3d715ae9583288b12686a0552586caa6270 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Mon, 27 Jan 2014 17:17:33 +0100
+Subject: [PATCH 2/2] Use right h_errnop for retrying with larger buffer.
+
+The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when
+it needs to try again with a larger buffer.
+---
+ nss/hosts.c    | 2 +-
+ nss/networks.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nss/hosts.c b/nss/hosts.c
+index 0e7027e..2bf4c86 100644
+--- a/nss/hosts.c
++++ b/nss/hosts.c
+@@ -52,7 +52,7 @@
+ #undef ERROR_OUT_BUFERROR
+ #define ERROR_OUT_BUFERROR(fp) \
+   *errnop=ERANGE; \
+-  *h_errnop=TRY_AGAIN; \
++  *h_errnop=NETDB_INTERNAL; \
+   return NSS_STATUS_TRYAGAIN;
+ 
+ #undef ERROR_OUT_WRITEERROR
+diff --git a/nss/networks.c b/nss/networks.c
+index 1403b45..f3cb269 100644
+--- a/nss/networks.c
++++ b/nss/networks.c
+@@ -52,7 +52,7 @@
+ #undef ERROR_OUT_BUFERROR
+ #define ERROR_OUT_BUFERROR(fp) \
+   *errnop=ERANGE; \
+-  *h_errnop=TRY_AGAIN; \
++  *h_errnop=NETDB_INTERNAL; \
+   return NSS_STATUS_TRYAGAIN;
+ 
+ #undef ERROR_OUT_WRITEERROR
+-- 
+1.8.5.3
+

SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch

@@ -0,0 +1,17 @@
+diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password nss-pam-ldapd-0.8.13/nslcd/myldap.c
+--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password	2017-10-24 12:04:22.275105596 +0200
++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c	2017-10-24 12:04:39.355175121 +0200
+@@ -967,6 +967,13 @@ static int do_retry_search(MYLDAP_SEARCH
+         /* try to start the search */
+         pthread_mutex_unlock(&uris_mutex);
+         rc=do_try_search(search);
++        /* if we are authenticating a user and get an error regarding failed
++           password we should error out instead of trying all servers */
++        if ((search->session->binddn[0] != '\0') && (rc == LDAP_INVALID_CREDENTIALS))
++        {
++          do_close(search->session);
++          return rc;
++        }
+         if (rc==LDAP_SUCCESS)
+         {
+           pthread_mutex_lock(&uris_mutex);

SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch

@@ -0,0 +1,35 @@
+diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password nss-pam-ldapd-0.8.13/nslcd/myldap.c
+--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password	2017-10-24 12:38:29.315411416 +0200
++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c	2017-10-24 12:38:52.727517587 +0200
+@@ -88,7 +88,7 @@ struct ldap_session
+   /* the username to bind with */
+   char binddn[256];
+   /* the password to bind with if any */
+-  char bindpw[64];
++  char bindpw[128];
+   /* timestamp of last activity */
+   time_t lastactivity;
+   /* index into ldc_uris: currently connected LDAP uri */
+diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password nss-pam-ldapd-0.8.13/nslcd/pam.c
+--- nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password	2017-10-24 12:39:50.761780765 +0200
++++ nss-pam-ldapd-0.8.13/nslcd/pam.c	2017-10-24 12:41:15.083163153 +0200
+@@ -246,7 +246,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SES
+   int rc;
+   char username[256];
+   char servicename[64];
+-  char password[64];
++  char password[128];
+   const char *userdn;
+   MYLDAP_ENTRY *entry;
+   int authzrc=NSLCD_PAM_SUCCESS;
+@@ -617,8 +617,8 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SES
+   char userdn[256];
+   int asroot;
+   char servicename[64];
+-  char oldpassword[64];
+-  char newpassword[64];
++  char oldpassword[128];
++  char newpassword[128];
+   const char *binddn=NULL; /* the user performing the modification */
+   MYLDAP_ENTRY *entry;
+   char authzmsg[1024];

SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch

@@ -0,0 +1,98 @@
+diff -up nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/group.c
+--- nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting	2013-02-23 22:24:00.000000000 +0100
++++ nss-pam-ldapd-0.8.13/nslcd/group.c	2017-10-24 14:17:27.489696761 +0200
+@@ -109,10 +109,8 @@ static int mkfilter_group_bygid(gid_t gi
+   }
+   else
+   {
+-    return mysnprintf(buffer,buflen,
+-                      "(&%s(%s=%d))",
+-                      group_filter,
+-                      attmap_group_gidNumber,(int)gid);
++    return mysnprintf(buffer,buflen,"(&%s(%s=%lu))",
++                      group_filter,attmap_group_gidNumber,(unsigned long int)gid);
+   }
+ }
+ 
+diff -up nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/nslcd.c
+--- nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting	2017-10-24 14:17:05.117590857 +0200
++++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c	2017-10-24 14:17:27.490696766 +0200
+@@ -402,8 +402,8 @@ static void handleconnection(int sock,MY
+   if (getpeercred(sock,&uid,&gid,&pid))
+     log_log(LOG_DEBUG,"connection from unknown client: %s",strerror(errno));
+   else
+-    log_log(LOG_DEBUG,"connection from pid=%d uid=%d gid=%d",
+-                      (int)pid,(int)uid,(int)gid);
++    log_log(LOG_DEBUG,"connection from pid=%lu uid=%lu gid=%lu",
++            (unsigned long int)pid,(unsigned long int)uid,(unsigned long int)gid);
+   /* create a stream object */
+   if ((fp=tio_fdopen(sock,READ_TIMEOUT,WRITE_TIMEOUT,
+                      READBUFFER_MINSIZE,READBUFFER_MAXSIZE,
+@@ -519,7 +519,7 @@ static void create_pidfile(const char *f
+       log_log(LOG_ERR,"cannot truncate pid file (%s): %s",filename,strerror(errno));
+       exit(EXIT_FAILURE);
+     }
+-    mysnprintf(buffer,sizeof(buffer),"%d\n",(int)getpid());
++    mysnprintf(buffer,sizeof(buffer),"%lu\n",(unsigned long int)getpid());
+     if (write(fd,buffer,strlen(buffer))!=(int)strlen(buffer))
+     {
+       log_log(LOG_ERR,"error writing pid file (%s): %s",filename,strerror(errno));
+@@ -755,11 +755,11 @@ int main(int argc,char *argv[])
+ #ifdef HAVE_INITGROUPS
+     /* load supplementary groups */
+     if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0)
+-      log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s",
+-              nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid,strerror(errno));
++      log_log(LOG_WARNING,"cannot initgroups(\"%s\",%lu) (ignored): %s",
++              nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid,strerror(errno));
+     else
+-      log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done",
+-              nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid);
++      log_log(LOG_DEBUG,"initgroups(\"%s\",%lu) done",
++              nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid);
+ #else /* not HAVE_INITGROUPS */
+ #ifdef HAVE_SETGROUPS
+     /* just drop all supplemental groups */
+@@ -777,20 +777,22 @@ int main(int argc,char *argv[])
+   {
+     if (setgid(nslcd_cfg->ldc_gid)!=0)
+     {
+-      log_log(LOG_ERR,"cannot setgid(%d): %s",(int)nslcd_cfg->ldc_gid,strerror(errno));
++      log_log(LOG_ERR,"cannot setgid(%lu): %s",
++			  (unsigned long int)nslcd_cfg->ldc_gid,strerror(errno));
+       exit(EXIT_FAILURE);
+     }
+-    log_log(LOG_DEBUG,"setgid(%d) done",(int)nslcd_cfg->ldc_gid);
++    log_log(LOG_DEBUG,"setgid(%lu) done",(unsigned long int)nslcd_cfg->ldc_gid);
+   }
+   /* change to nslcd uid */
+   if (nslcd_cfg->ldc_uid!=NOUID)
+   {
+     if (setuid(nslcd_cfg->ldc_uid)!=0)
+     {
+-      log_log(LOG_ERR,"cannot setuid(%d): %s",(int)nslcd_cfg->ldc_uid,strerror(errno));
++      log_log(LOG_ERR,"cannot setuid(%lu): %s",
++			  (unsigned long int)nslcd_cfg->ldc_uid,strerror(errno));
+       exit(EXIT_FAILURE);
+     }
+-    log_log(LOG_DEBUG,"setuid(%d) done",(int)nslcd_cfg->ldc_uid);
++    log_log(LOG_DEBUG,"setuid(%lu) done",(unsigned long int)nslcd_cfg->ldc_uid);
+   }
+   /* block all these signals so our worker threads won't handle them */
+   sigemptyset(&signalmask);
+diff -up nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/passwd.c
+--- nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting	2013-02-23 22:24:00.000000000 +0100
++++ nss-pam-ldapd-0.8.13/nslcd/passwd.c	2017-10-24 14:17:27.490696766 +0200
+@@ -115,10 +115,8 @@ static int mkfilter_passwd_byuid(uid_t u
+   }
+   else
+   {
+-    return mysnprintf(buffer,buflen,
+-                      "(&%s(%s=%d))",
+-                      passwd_filter,
+-                      attmap_passwd_uidNumber,(int)uid);
++    return mysnprintf(buffer,buflen, "(&%s(%s=%lu))",
++                      passwd_filter,attmap_passwd_uidNumber,(unsigned long int)uid);
+   }
+ }
+ 

SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch

@@ -0,0 +1,24 @@
+diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list nss-pam-ldapd-0.8.13/man/nslcd.conf.5
+--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list	2017-10-24 14:08:54.429271306 +0200
++++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5	2017-10-24 14:09:31.691444445 +0200
+@@ -46,7 +46,7 @@ Note that you should use values that don
+ to resolve.
+ .SS "GENERAL CONNECTION OPTIONS"
+ .TP 
+-\*(T<\fBuri\fR\*(T> \fIURI\fR
++\*(T<\fBuri\fR\*(T> \fIURI\fR ...
+ Specifies the LDAP URI of the
+ server to connect to.
+ The URI scheme may be \*(T<ldap\*(T>,
+@@ -66,8 +66,9 @@ When using the ldapi scheme, %2f should
+ (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the
+ time this should not be needed.
+ 
+-This option may be specified multiple times. Normally, only the first
+-server will be used with the following servers as fall-back (see
++This option may be specified multiple times and/or with more URIs on the
++line, separated by space. Normally, only the first server will be used
++with the following servers as fall-back (see
+ \*(T<\fBbind_timelimit\fR\*(T> below).
+ 
+ If LDAP lookups are used for host name resolution,

SOURCES/nss-pam-ldapd-exitcode.patch

@@ -0,0 +1,10 @@
+diff -up nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode nss-pam-ldapd-0.8.14/nslcd/nslcd.c
+--- nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode	2017-02-08 09:52:39.687834074 +0100
++++ nss-pam-ldapd-0.8.14/nslcd/nslcd.c	2017-02-08 09:52:54.630891580 +0100
+@@ -866,5 +866,5 @@ int main(int argc,char *argv[])
+       log_log(LOG_ERR,"thread %d is still running, shutting down anyway",i);
+   }
+   /* we're done */
+-  return EXIT_FAILURE;
++  return EXIT_SUCCESS;
+ }

SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch

@@ -0,0 +1,30 @@
+diff -up nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect
+--- nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs	2014-01-20 15:32:33.253018468 +0100
++++ nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect	2014-01-20 15:38:00.452957296 +0100
+@@ -40,7 +40,7 @@ proc reset_password {} {
+   expect {
+     "LDAP administrator password" { send "test\r"; exp_continue }
+     -regexp "(New|Retype new) password:" { send "test\r"; exp_continue }
+-    "password updated successfully" {}
++    "passwd: all authentication tokens updated successfully" {}
+     "Invalid credentials" abort
+     "Authentication token manipulation error" abort
+     default abort
+@@ -114,7 +114,7 @@ proc test_login_unknown {uid passwd} {
+   expect {
+     "Password:" { send "$passwd\r"; exp_continue }
+     "Unknown id" {}
+-    "No passwd entry for user" {}
++    "su: user $uid does not exist" {}
+     "\$ " abort
+     default abort
+   }
+@@ -156,7 +156,7 @@ expect {
+ }
+ expect {
+   -regexp "(New|Retype new) password:" { send "newpassword\r"; exp_continue }
+-  "password updated successfully" {}
++  "passwd: all authentication tokens updated successfully" {}
+   "Invalid credentials" abort
+   "Authentication token manipulation error" abort
+   "\$ " abort

SPECS/nss-pam-ldapd.spec

@@ -0,0 +1,640 @@
+%if 0%{?fedora} > 15 || 0%{?rhel} > 6
+%global systemd 1
+%global sysvinit 0
+%else
+%global systemd 0
+%global sysvinit 1
+%endif
+
+# Fedora had these in F18, but we didn't cut over to use them until after F18
+# was frozen, so pretend it didn't happen until F19.
+%if 0%{?fedora} > 18 || 0%{?rhel} > 6
+%global systemd_macros 1
+%else
+%global systemd_macros 0
+%endif
+
+%if 0%{?fedora} > 14 || 0%{?rhel} > 6
+%global tmpfiles 1
+%else
+%global tmpfiles 0
+%endif
+
+# Fedora had it in F17, but moving things around in already-released versions
+# is a bad idea, so pretend it didn't happen until F19.
+%if 0%{?fedora} > 18 || 0%{?rhel} > 6
+%global separate_usr 0
+%global nssdir %{_libdir}
+%global pamdir %{_libdir}/security
+%else
+%global separate_usr 1
+%global nssdir /%{_lib}
+%global pamdir /%{_lib}/security
+%endif
+
+# For distributions that support it, build with RELRO
+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
+%define _hardened_build 1
+%endif
+
+Name:		nss-pam-ldapd
+Version:	0.8.13
+Release:	16%{?dist}
+Summary:	An nsswitch module which uses directory servers
+Group:		System Environment/Base
+License:	LGPLv2+
+URL:		http://arthurdejong.org/nss-pam-ldapd/
+Source0:	http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz
+Source1:	http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig
+Source2:	nslcd.init
+Source3:	nslcd.tmpfiles
+Source4:	nslcd.service
+Patch1:		nss-pam-ldapd-0.8.12-validname.patch
+Patch2:         nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch
+Patch3:		nss-pam-ldapd-0.8.12-uid-overflow.patch
+Patch4:		nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch
+Patch5:		nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch
+Patch6:		nss-pam-ldapd-rh-msgs-in-tests.patch
+Patch7:         nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch
+Patch8:         nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch
+Patch9:         nss-pam-ldapd-exitcode.patch
+Patch10:        nss-pam-ldapd-0.8.12-str-cmp.patch
+Patch11:        nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch
+Patch12:        nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch
+Patch13:        nss-pam-ldapd-0.8.13-uri-man-fix.patch
+Patch14:        nss-pam-ldapd-0.8.13-uid_formatting.patch
+
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires:	openldap-devel, krb5-devel
+BuildRequires:	autoconf, automake
+BuildRequires:	pam-devel
+Obsoletes:	nss-ldapd < 0.7
+Provides:	nss-ldapd = %{version}-%{release}
+
+# Obsolete PADL's nss_ldap
+Provides:       nss_ldap = 265-12
+Obsoletes:      nss_ldap < 265-11
+
+%if 0%{?fedora} > 18 || 0%{?rhel} > 6
+# Obsolete PADL's pam_ldap
+Provides:       pam_ldap = 185-15
+Obsoletes:      pam_ldap < 185-15
+%global         build_pam_ldap 1
+%else
+# Pull in the pam_ldap module, which is its own package in F14 and later, to
+# keep upgrades from removing the module.  We used to disable nss-pam-ldapd's
+# own pam_ldap.so when it wasn't mature enough.
+Requires:       pam_ldap%{?_isa}
+%global         build_pam_ldap 0
+%endif
+
+# Pull in nscd, which is recommended.
+Requires:	nscd
+%if %{sysvinit}
+Requires(post):		/sbin/ldconfig, chkconfig, grep, sed
+Requires(preun):	chkconfig, initscripts
+Requires(postun):	/sbin/ldconfig, initscripts
+%endif
+%if %{systemd}
+BuildRequires:	systemd-units
+Requires(post):	systemd-units
+Requires(preun):	systemd-units
+Requires(postun):	systemd-units
+Requires(post):	systemd-sysv
+%endif
+
+%description
+The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name
+service information (users, groups, etc.) on behalf of a lightweight
+nsswitch module.
+
+%prep
+%setup -q
+%patch1 -p0 -b .validname
+%patch2 -p1 -b .epipe
+%patch3 -p1 -b .overflow
+%patch4 -p1 -b .skiptimeout
+%patch5 -p1 -b .readall
+%patch6 -p1 -b .test_msgs
+%patch7 -p1 -b .use_after_free
+%patch8 -p1 -b .errnop_val
+%patch9 -p1 -b .exit_code
+%patch10 -p1 -b .str_cmp
+%patch11 -p1 -b .avoid_lockout_on_bad_password
+%patch12 -p1 -b .long_password
+%patch13 -p1 -b .uri_list
+%patch14 -p1 -b .uid_formatting
+autoreconf -f -i
+
+%build
+CFLAGS="$RPM_OPT_FLAGS -fPIC" ; export CFLAGS
+%configure --libdir=%{nssdir} \
+%if %{build_pam_ldap}
+	--with-pam-seclib-dir=%{pamdir}
+%else
+	--disable-pam
+%endif
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/{%{_initddir},%{_libdir},%{_unitdir}}
+%if %{sysvinit}
+install -p -m755 %{SOURCE2} $RPM_BUILD_ROOT/%{_initddir}/nslcd
+%endif
+%if %{systemd}
+install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/
+%endif
+
+%if 0%{?fedora} > 13 || 0%{?rhel} > 5
+%if %{separate_usr}
+# Follow glibc's convention and provide a .so symlink so that people who know
+# what to expect can link directly with the module.
+if test %{_libdir} != /%{_lib} ; then
+	touch $RPM_BUILD_ROOT/rootfile
+	relroot=..
+	while ! test -r $RPM_BUILD_ROOT/%{_libdir}/$relroot/rootfile ; do
+		relroot=../$relroot
+	done
+	ln -s $relroot/%{_lib}/libnss_ldap.so.2 \
+		$RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so
+	rm $RPM_BUILD_ROOT/rootfile
+fi
+%else
+ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{nssdir}/libnss_ldap.so
+%endif
+%endif
+
+sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \
+$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
+touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
+mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd
+%if %{tmpfiles}
+mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir}
+install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf
+%endif
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO
+%{_sbindir}/*
+%{nssdir}/*.so.*
+%if %{build_pam_ldap}
+%{pamdir}/pam_ldap.so
+%endif
+%{_mandir}/*/*
+%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf
+%if %{tmpfiles}
+%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf
+%endif
+%if %{sysvinit}
+%attr(0755,root,root) %{_initddir}/nslcd
+%endif
+%if %{systemd}
+%config(noreplace) %{_unitdir}/*
+%endif
+%attr(0755,nslcd,root) /var/run/nslcd
+%if 0%{?fedora} > 13 || 0%{?rhel} > 5
+# This would be the only thing in the -devel subpackage, so we include it.  It
+# will conflict with nss_ldap, so only include it for releases where pam_ldap is
+# its own package.
+/%{_libdir}/*.so
+%endif
+
+%pre
+getent group  ldap  > /dev/null || \
+/usr/sbin/groupadd -r -g 55 ldap
+getent passwd nslcd > /dev/null || \
+/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \
+    -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || :
+
+%post
+# The usual stuff.
+%if %{sysvinit}
+/sbin/chkconfig --add nslcd
+%endif
+%if %{systemd}
+%if %{systemd_macros}
+%systemd_post nslcd.service
+%else
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+%endif
+%endif
+/sbin/ldconfig
+# Import important non-default settings from nss_ldap or pam_ldap configuration
+# files, but only the first time this package is installed.
+comment="This comment prevents repeated auto-migration of settings."
+if test -s /etc/nss-ldapd.conf ; then
+	source=/etc/nss-ldapd.conf
+elif test -s /etc/nss_ldap.conf ; then
+	source=/etc/nss_ldap.conf
+elif test -s /etc/pam_ldap.conf ; then
+	source=/etc/pam_ldap.conf
+else
+	source=/etc/ldap.conf
+fi
+target=/etc/nslcd.conf
+if test "$1" -eq "1" && ! grep -q -F "# $comment" $target 2> /dev/null ; then
+	# Try to make sure we only do this the first time.
+	echo "# $comment" >> $target
+	if grep -E -q '^uri[[:blank:]]' $source 2> /dev/null ; then
+		# Comment out the packaged default host/uri and replace it...
+		sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target
+		# ... with the uri.
+		grep -E '^uri[[:blank:]]' $source >> $target
+	elif grep -E -q '^host[[:blank:]]' $source 2> /dev/null ; then
+		# Comment out the packaged default host/uri and replace it...
+		sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target
+		# ... with the "host" reformatted as a URI.
+		scheme=ldap
+		# check for 'ssl on', which means we want to use ldaps://
+		if grep -E -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then
+			scheme=ldaps
+		fi
+		grep -E '^host[[:blank:]]' $source |\
+		sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target
+	fi
+	# Base doesn't require any special logic.
+	if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then
+		# Comment out the packaged default base and replace it.
+		sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target
+		grep -E '^base[[:blank:]]' $source >> $target
+	fi
+	# Pull in these settings, if they're set, directly.
+	grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target
+	grep -E '^(tls_)' $source 2> /dev/null >> $target
+	grep -E '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target
+fi
+# If this is the first time we're being installed, and the system is already
+# configured to use LDAP as a naming service, enable the daemon, but don't
+# start it since we can never know if that's a safe thing to do.  If this
+# is an upgrade, leave the user's runlevel selections alone.
+if [ "$1" -eq "1" ]; then
+	if grep -E -q '^USELDAP=yes$' /etc/sysconfig/authconfig 2> /dev/null ; then
+%if %{sysvinit}
+		/sbin/chkconfig nslcd on
+%endif
+%if %{systemd}
+		/bin/systemctl --no-reload enable nslcd.service >/dev/null 2>&1 ||:
+%endif
+	fi
+fi
+# Earlier versions of 0.7.6 of this package would have included both 'gid
+# nslcd' (a group which doesn't exist) and 'gid ldap' (which we ensure exists).
+# If we detect both, fix the configuration.
+if grep -q '^gid nslcd' $target ; then
+	if grep -q '^gid ldap' $target ; then
+		sed -i -e 's,^gid nslcd$,# gid nslcd,g' $target
+	fi
+fi
+# In 0.8.4, the name of the attribute which was expected to contain the DNs of
+# a group's members changed from "uniqueMember" to "member".  Change any
+# instances of "map group uniqueMember ..." to "map group member ...", unless
+# "member" is already being mapped, in which case attempting this would
+# probably just confuse things further.
+if grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]]" $target ; then
+	if ! grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+member[[:blank:]]" $target ; then
+		sed -i -r -e "s,^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]](.*),map group member \1,g" $target
+	fi
+fi
+# Create the daemon's /var/run directory if it isn't there.
+if ! test -d /var/run/nslcd ; then
+	mkdir -p -m 0755 /var/run/nslcd
+fi
+exit 0
+
+%preun
+if [ "$1" -eq "0" ]; then
+%if %{sysvinit}
+	/sbin/service nslcd stop >/dev/null 2>&1
+	/sbin/chkconfig --del nslcd
+%endif
+%if %{systemd}
+%if %{systemd_macros}
+%systemd_preun nslcd.service
+%else
+	/bin/systemctl --no-reload disable nslcd.service > /dev/null 2>&1 || :
+	/bin/systemctl stop nslcd.service > /dev/null 2>&1 || :
+%endif
+%endif
+fi
+exit 0
+
+%postun
+/sbin/ldconfig
+%if %{sysvinit}
+if [ "$1" -ge "1" ]; then
+	/etc/rc.d/init.d/nslcd condrestart >/dev/null 2>&1
+fi
+%endif
+%if %{systemd}
+%if %{systemd_macros}
+%systemd_postun_with_restart nslcd.service
+%else
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ "$1" -ge "1" ]; then
+	/bin/systemctl try-restart nslcd.service >/dev/null 2>&1
+fi
+%endif
+%endif
+exit 0
+
+%if %{systemd}
+%triggerun -- nss-pam-ldapd < 0.7.13-6
+# Save the current service runlevel info, in case the user wants to apply
+# the enabled status manually later, by running
+#   "systemd-sysv-convert --apply nslcd".
+%{_bindir}/systemd-sysv-convert --save nslcd >/dev/null 2>&1 ||:
+# Do this because the old package's %%postun doesn't know we need to do it.
+/sbin/chkconfig --del nslcd >/dev/null 2>&1 || :
+# Do this because the old package's %%postun wouldn't have tried.
+/bin/systemctl try-restart nslcd.service >/dev/null 2>&1 || :
+exit 0
+%endif
+
+%changelog
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-16
+- Resolves: rhbz#1151675 - NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID
+                           IS WRONG (AND A NEGATIVE NUMBER)
+
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-15
+- Resolves: rhbz#1204202 - fix doc to describe actual uri format in
+                           nslcd.conf
+
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-14
+- Resolves: rhbz#1288429 - /etc/tmpfiles.d/nss-pam-ldapd.conf shipped when
+                           /etc/tmpfiles.d is reserved for the local
+                           administrator
+
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-13
+- Resolves: rhbz#1312297 - nslcd.service does not restart on failure
+
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-12
+- Resolves: rhbz#1425790 - Unable to authenticate with 64 character password
+                           using nss-pam-ldapd
+
+* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-11
+- Resolves: rhbz#1497761 - Incorrect password tries to bind to all domain
+                           controllers and locks user out
+
+* Mon Oct 23 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-10
+- Resolves: rhbz#1357493 - In RHEL 7, authentication failing when using
+                           nslcd + pam_ldap where user has different in
+                           nis/passwd and ldap.
+
+* Mon Oct 23 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-9
+- Resolves: rhbz#1420576 - 'systemctl status nslcd' always returns FAILURE
+                           status even though the service is stopped with
+                           'systemctl stop nslcd
+
+* Wed Jan 29 2014 Jakub Hrozek <jhrozek@redhat.com>  0.8.13-8
+- Fix a potential use-after-free in nsswitch module
+- Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.8.13-7
+- Mass rebuild 2014-01-24
+
+* Mon Jan 20 2014 Jakub Hrozek <jhrozek@redhat.com>  0.8.13-6
+- Change the error messages the tests expect to those printed on RH based
+  systems
+- Resolves: rhbz#1044482
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.8.13-5
+- Mass rebuild 2013-12-27
+
+* Fri Oct 18 2013 Nalin Dahyabhai <nalin@redhat.com>  0.8.13-4
+- compile nslcd/log.c with -fPIC instead of the current hardened-build default
+  of -fPIE, which doesn't seem to avoid relocations for its thread-local
+  variables on s390x (#1002834)
+
+* Sat Oct 05 2013 Jakub Hrozek <jhrozek@redhat.com>  0.8.13-3
+- Suppress Broken Pipe messages when requesting a large groupo
+- Resolves: rhbz#1002829
+
+* Wed Jul 31 2013 Jakub Hrozek <jhrozek@redhat.com>  0.8.13-2
+- Build with _hardened_build macro
+
+* Mon May  6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.13-1
+- update to 0.8.13
+- correct a syntax error in the fix that was added for #832706
+
+* Tue Apr 30 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-4
+- in %%post, attempt to rewrite any instances of "map group uniqueMember ..."
+  to be "map group member ..." in nslcd.conf, as the attribute name changed
+  in 0.8.4 (via freeipa ticket #3589)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Jan 18 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-2
+- drop local patch to make the client flush some more read buffers
+
+* Fri Jan 18 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-1
+- update to 0.8.12 (#846793)
+- make building pam_ldap conditional on the targeted release
+- add "After=named.service dirsrv.target slapd.service" to nslcd.service,
+  to make sure that nslcd is started after them if they're to be started
+  on the local system (#832706)
+- alter the versioned Obsoletes: on pam_ldap to include the F18 package
+- use %%{_unitdir} when deciding where to put systemd configuration, based
+  on patch from Václav Pavlín (#850232)
+- use new systemd macros for scriptlet hooks, when available, based on
+  patch from Václav Pavlín (#850232)
+
+* Sun Sep 09 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.17-1
+- new upstream release 0.7.17
+
+* Sun Aug 05 2012 Jakub Hrozek <jhrozek@redhat.com> - 0.7.16-5
+- Obsolete PADL's nss_ldap
+
+* Sat Aug 04 2012 Jakub Hrozek <jhrozek@redhat.com> - 0.7.16-4
+- Build the PAM module, obsoletes PADL's pam-ldap (#856006)
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon May 14 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.16-2
+- backport upstream revision r1659 related to broken pipe when
+  requesting a large group
+- use grep -E instead of egrep to avoid rpmlint warnings
+
+* Sat Apr 28 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.16-1
+- new upstream release 0.7.16
+
+* Thu Mar 15 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.15-2
+- Do not print "Broken Pipe" error message when requesting a large group
+
+* Fri Mar 9 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.15-1
+- new upstream release 0.7.15
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Dec 16 2011 Jakub Hrozek <jhrozek@redhat.com> 0.7.14-2
+- Do not overflow large UID/GID values on 32bit architectures
+
+* Mon Nov 28 2011 Nalin Dahyabhai <nalin@redhat.com>
+- use the same conditional test for deciding when to create the .so symlink as
+  we do later on for deciding when to include it in the package (#757004)
+
+* Fri Sep 23 2011 Jakub Hrozek <jhrozek@redhat.com> 0.7.14-1
+- new upstream release 0.7.14
+- obsoletes nss-pam-ldapd-0.7.x-buffers.patch
+
+* Wed Aug 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-8
+- include backported enhancement to take URIs in the form "dns:DOMAIN" in
+  addition to the already-implemented "dns" (#730309)
+
+* Thu Jul 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-7
+- switch to only munging the contents of /etc/nslcd.conf on the very first
+  install (#706454)
+- make sure that we have enough space to parse any valid GID value when
+  parsing a user's primary GID (#716822)
+- backport support for the "validnames" option from SVN and use it to allow
+  parentheses characters by modifying the default setting (#690870), then
+  modify the default again to also allow shorter and shorter names to pass
+  muster (#706860)
+
+* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-6
+- convert to systemd-native startup (#716997)
+
+* Mon Jun 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-5
+- change the file path Requires: we have for pam_ldap into a package name
+  Requires: (#601931)
+
+* Wed Mar 30 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-4
+- tag nslcd.conf with %%verify(not md5 size mtime), since we always tweak
+  it in %%post (#692225)
+
+* Tue Mar  1 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-3
+- add a tmpfiles configuration to ensure that /var/run/nslcd is created when
+  /var/run is completely empty at boot (#656643)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Dec 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-1
+- update to 0.7.13
+
+* Fri Oct 29 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.12-1
+- update to 0.7.12
+
+* Fri Oct 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.11-1
+- update to 0.7.11
+
+* Wed Sep 29 2010 jkeating - 0.7.10-2
+- Rebuilt for gcc bug 634757
+
+* Fri Sep 24 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.10-1
+- update to 0.7.10
+
+* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.9-2
+- when creating /var/run/nslcd in the buildroot, specify that 0755 is a
+  permissions value and not another directory name (#636880)
+
+* Mon Aug 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.9-1
+- update to 0.7.9
+
+* Wed Aug 18 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.8-1
+- update to 0.7.8
+
+* Wed Jul  7 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.7-1
+- update to 0.7.7
+
+* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-3
+- don't accidentally set multiple 'gid' settings in nslcd.conf, and try to
+  clean up after older versions of this package that did (#608314)
+
+* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-2
+- make inclusion of the .so symlink conditional on being on a sufficiently-
+  new Fedora where pam_ldap isn't part of the nss_ldap package, so having
+  this package conflict with nss_ldap doesn't require that pam_ldap be
+  removed (#596691)
+
+* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-1
+- update to 0.7.6
+
+* Mon May 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-3
+- switch to the upstream patch for #592411
+
+* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-2
+- don't return an uninitialized buffer as the value for an optional attribute
+  that isn't present in the directory server entry (#592411)
+
+* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-1
+- update to 0.7.5
+
+* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.4-1
+- update to 0.7.4
+- stop trying to migrate retry timeout parameters from old ldap.conf files
+- add an explicit requires: on nscd to make sure it's at least available on
+  systems that are using nss-pam-ldapd; otherwise it's usually optional
+
+* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.3-1
+- update to 0.7.3
+
+* Thu Feb 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.2-2
+- bump release for post-review commit
+
+* Thu Feb 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.2-1
+- add comments about why we have a .so link at all, and not a -devel subpackage
+
+* Wed Jan 13 2010 Nalin Dahyabhai <nalin@redhat.com>
+- obsolete/provides nss-ldapd
+- import configuration from nss-ldapd.conf, too
+
+* Tue Jan 12 2010 Nalin Dahyabhai <nalin@redhat.com>
+- rename to nss-pam-ldapd
+- also check for import settings in /etc/nss_ldap.conf and /etc/pam_ldap.conf
+
+* Thu Sep 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.11-2
+- rebuild
+
+* Wed Sep 16 2009 Nalin Dahyabhai <nalin@redhat.com> 
+- apply Mitchell Berger's patch to clean up the init script, use %%{_initddir},
+  and correct the %%post so that it only thinks about turning on nslcd when
+  we're first being installed (#522947)
+- tell status() where the pidfile is when the init script is called for that
+
+* Tue Sep  8 2009 Nalin Dahyabhai <nalin@redhat.com>
+- fix typo in a comment, capitalize the full name for "LDAP Client User" (more
+  from #516049)
+
+* Wed Sep  2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.11-1
+- update to 0.6.11
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jun 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-3
+- update URL: and Source:
+
+* Mon Jun 15 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-2
+- add and own /var/run/nslcd
+- convert hosts to uri during migration
+
+* Thu Jun 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-1
+- update to 0.6.10
+
+* Fri Apr 17 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.8-1
+- bump release number to 1 (part of #491767)
+- fix which group we check for during %%pre (part of #491767)
+
+* Tue Mar 24 2009 Nalin Dahyabhai <nalin@redhat.com>
+- require chkconfig by package rather than path (Jussi Lehtola, part of #491767)
+
+* Mon Mar 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.8-0.1
+- update to 0.6.8
+
+* Mon Mar 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.7-0.1
+- start using a dedicated user
+
+* Wed Mar 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.7-0.0
+- initial package (#445965)