powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

nss-pam-ldapd package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2018-06-06 01:35:27 +02:00
parent 77fa6e3b56
commit 0479a63b69
18 changed files with 1348 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
SOURCES/nslcd.init Normal file
View File

@ -0,0 +1,86 @@
#!/bin/sh
#
# chkconfig: - 12 88
# description: Provides naming services using a directory server.
# processname: /usr/sbin/nslcd
# config: /etc/nslcd.conf
# pidfile: /var/run/nslcd/nslcd.pid
#

### BEGIN INIT INFO
# Provides: nslcd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: naming services LDAP client daemon
# Description: Provides naming services using a directory server.
### END INIT INFO

program=/usr/sbin/nslcd
prog=${program##*/}
pidfile=/var/run/nslcd/nslcd.pid

if [ -f /etc/rc.d/init.d/functions ]; then
. /etc/rc.d/init.d/functions
fi

RETVAL=0

start() {
echo -n $"Starting $prog: "
daemon $program
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
killproc $program
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/$prog
fi
}

restart() {
stop
start
}

# See how we were called.
case "$1" in
start)
[ -f /var/lock/subsys/$prog ] && exit 0
$1
;;
stop)
[ -f /var/lock/subsys/$prog ] || exit 0
$1
;;
restart)
$1
;;
status)
status -p $pidfile $program
RETVAL=$?
;;
condrestart|try-restart)
[ -f /var/lock/subsys/$prog ] && restart || :
;;
reload)
echo "can't reload configuration, you have to restart it"
RETVAL=3
;;
force-reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 1
;;
esac
exit $RETVAL

14
SOURCES/nslcd.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Naming services LDAP client daemon.
After=syslog.target network.target named.service dirsrv.target slapd.service
Documentation=man:nslcd(8) man:nslcd.conf(5)

[Service]
Type=forking
PIDFile=/var/run/nslcd/nslcd.pid
ExecStart=/usr/sbin/nslcd
RestartSec=10s
Restart=on-failure

[Install]
WantedBy=multi-user.target

2
SOURCES/nslcd.tmpfiles Normal file
View File

@ -0,0 +1,2 @@
# nslcd needs a directory in /var/run to store its pid file and socket
d /var/run/nslcd 0755 nslcd root

30
SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch Normal file
View File

@ -0,0 +1,30 @@
From ec2ac2cc7eaa945f3d07d2528ddd4b8d9b8d38e1 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 6 Oct 2013 14:14:39 +0000
Subject: [PATCH 3/3] in nslcd, log EPIPE only on debug level (4897033 from
0.9)

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2032 ef36b2f9-881f-0410-afb5-c4e39611909c
---
nslcd/common.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nslcd/common.h b/nslcd/common.h
index 736d7c09c9cd6d333fc4caa0a15144cc83eb9ecd..c48decb58df5262f459e0862f677960c31e20df7 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -43,7 +43,10 @@
stream */
#define ERROR_OUT_WRITEERROR(fp) \
- log_log(LOG_WARNING,"error writing to client: %s",strerror(errno)); \
+ if (errno==EPIPE) \
+ log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \
+ else \
+ log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \
return -1;
#define ERROR_OUT_READERROR(fp) \
--
1.8.3.1

111
SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch Normal file
View File

@ -0,0 +1,111 @@
From 335f7e085b45556276d2c1f224648a7eed28e4fd Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 6 Oct 2013 14:11:51 +0000
Subject: [PATCH 2/3] use a timeout when skipping remaining result data
(c9e2f97 from 0.9)

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2031 ef36b2f9-881f-0410-afb5-c4e39611909c
---
common/tio.c | 6 +++---
common/tio.h | 4 ++--
nss/common.h | 10 +++++++---
3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/common/tio.c b/common/tio.c
index 9aef80ca91faedad8f75e09b9070d22ed4a0878d..780ea38f175482dfed5e1c754ef75e93ffd83768 100644
--- a/common/tio.c
+++ b/common/tio.c
@@ -2,7 +2,7 @@
tio.c - timed io functions
This file is part of the nss-pam-ldapd library.
- Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong
+ Copyright (C) 2007, 2008, 2010, 2011, 2012, 2013 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -298,7 +298,7 @@ int tio_skip(TFILE *fp, size_t count)
}
/* Read all available data from the stream and empty the read buffer. */
-int tio_skipall(TFILE *fp)
+int tio_skipall(TFILE *fp,int skiptimeout)
{
struct pollfd fds[1];
int rv;
@@ -318,7 +318,7 @@ int tio_skipall(TFILE *fp)
/* see if any data is available */
fds[0].fd=fp->fd;
fds[0].events=POLLIN;
- rv=poll(fds,1,0);
+ rv=poll(fds,1,skiptimeout);
/* check the poll() result */
if (rv==0)
return 0; /* no file descriptor ready */
diff --git a/common/tio.h b/common/tio.h
index cd3f370732e4c54815187bb8012fd5a5ff8972af..b38d458aedd660ff95ff2e57f9df790ffd51ff6d 100644
--- a/common/tio.h
+++ b/common/tio.h
@@ -2,7 +2,7 @@
tio.h - timed io functions
This file is part of the nss-pam-ldapd library.
- Copyright (C) 2007, 2008, 2010, 2012 Arthur de Jong
+ Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -59,7 +59,7 @@ int tio_read(TFILE *fp,void *buf,size_t count);
int tio_skip(TFILE *fp,size_t count);
/* Read all available data from the stream and empty the read buffer. */
-int tio_skipall(TFILE *fp);
+int tio_skipall(TFILE *fp,int skiptimeout);
/* Write the specified buffer to the stream. */
int tio_write(TFILE *fp,const void *buf,size_t count);
diff --git a/nss/common.h b/nss/common.h
index e8d8e0526499c252f69a558384ddae8504009d26..3f93a4fb4704092dd5b1a41b024d33abf59cba60 100644
--- a/nss/common.h
+++ b/nss/common.h
@@ -2,7 +2,7 @@
common.h - common functions for NSS lookups
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -35,6 +35,10 @@
#include "solnss.h"
#endif /* NSS_FLAVOUR_SOLARIS */
+/* skip timeout determines the maximum time to wait when closing the
+ connection and reading whatever data that is available */
+#define SKIP_TIMEOUT 500
+
/* These are macros for handling read and write problems, they are
NSS specific due to the return code so are defined here. They
genrally close the open file, set an error code and return with
@@ -127,7 +131,7 @@
/* close socket and we're done */ \
if ((retv==NSS_STATUS_SUCCESS)||(retv==NSS_STATUS_TRYAGAIN)) \
{ \
- (void)tio_skipall(fp); \
+ (void)tio_skipall(fp,SKIP_TIMEOUT); \
(void)tio_close(fp); \
} \
return retv;
@@ -203,7 +207,7 @@
NSS_AVAILCHECK; \
if (fp!=NULL) \
{ \
- (void)tio_skipall(fp); \
+ (void)tio_skipall(fp,SKIP_TIMEOUT); \
(void)tio_close(fp); \
fp=NULL; \
} \
--
1.8.3.1

39
SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch Normal file
View File

@ -0,0 +1,39 @@
From 841dd859360ff07d705e869d2a402f6b181a14f9 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 1 Sep 2013 09:47:18 +0000
Subject: [PATCH 1/3] fix buffer overflow on interrupted read (thanks John
Sullivan) (07a8170 from 0.9)

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2029 ef36b2f9-881f-0410-afb5-c4e39611909c
---
AUTHORS | 1 +
common/tio.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index 5debe5f7c2a059e67f47098df8647c66eab85c13..65ee0789cb8c300c59f7b00b75e80b5b51d96ac9 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -119,3 +119,4 @@ Maxim Vetrov <muxas@mail.ru>
Matthew L. Dailey <matthew.l.dailey@dartmouth.edu>
Chris Hiestand <chiestand@salk.edu>
Jon Severinsson <jon@severinsson.net>
+John Sullivan <jsrhbz@kanargh.force9.co.uk>
diff --git a/common/tio.c b/common/tio.c
index 4456198fe84ea72966edb06700c0fff751dd3451..9aef80ca91faedad8f75e09b9070d22ed4a0878d 100644
--- a/common/tio.c
+++ b/common/tio.c
@@ -283,8 +283,8 @@ int tio_read(TFILE *fp, void *buf, size_t count)
}
else if ((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN))
return -1; /* something went wrong with the read */
- /* skip the read part in the buffer */
- fp->readbuffer.len=rv;
+ else if (rv>0)
+ fp->readbuffer.len=rv; /* skip the read part in the buffer */
#ifdef DEBUG_TIO_STATS
fp->bytesread+=rv;
#endif /* DEBUG_TIO_STATS */
--
1.8.3.1

12
SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp nss-pam-ldapd-0.8.13/nslcd/pam.c
--- nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp 2017-10-23 21:18:19.867943857 +0200
+++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-23 21:18:35.935986527 +0200
@@ -133,7 +133,7 @@ static void update_username(MYLDAP_ENTRY
return;
}
/* check if the username is different and update it if needed */
- if (strcmp(username,value)!=0)
+ if (STR_CMP(username,value)!=0)
{
log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value);
strcpy(username,value);

77
SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch Normal file
View File

@ -0,0 +1,77 @@
Always use a function that we know will catch out-of-range values for UIDs and
GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't
produce a result that'll silently be truncated if we store the result in a
uid_t or gid_t.
--- nss-pam-ldapd/nslcd/common.c
+++ nss-pam-ldapd/nslcd/common.c
@@ -273,19 +273,23 @@ long int binsid2id(const char *binsid)
((((long int)binsid[i+2])&0xff)<<16)|((((long int)binsid[i+3])&0xff)<<24);
}
-#ifdef WANT_STRTOUI
-/* provide a strtoui() implementation, similar to strtoul() but returning
+/* provide a strtoid() implementation, similar to strtoul() but returning
an range-checked unsigned int instead */
-unsigned int strtoui(const char *nptr,char **endptr,int base)
+unsigned int strtoid(const char *nptr,char **endptr,int base)
{
- unsigned long val;
- val=strtoul(nptr,endptr,base);
- if (val>UINT_MAX)
+ long long val;
+ /* use the fact that long long is 64-bit, even on 32-bit systems */
+ val=strtoll(nptr,endptr,base);
+ if (val>UINT32_MAX)
{
errno=ERANGE;
- return UINT_MAX;
+ return UINT32_MAX;
}
- /* If errno was set by strtoul, we'll pass it back as-is */
- return (unsigned int)val;
+ else if (val < 0)
+ {
+ errno=EINVAL;
+ return UINT32_MAX;
+ }
+ /* If errno was set, we'll pass it back as-is */
+ return (uint32_t)val;
}
-#endif /* WANT_STRTOUI */
--- nss-pam-ldapd/nslcd/common.h
+++ nss-pam-ldapd/nslcd/common.h
@@ -139,31 +139,9 @@ int nsswitch_db_uses_ldap(const char *fi
#endif /* _POSIX_HOST_NAME_MAX */
#endif /* not HOST_NAME_MAX */
-/* provide strtouid() function alias */
-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT
-#define strtouid (uid_t)strtoul
-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
-#define strtouid (uid_t)strtoull
-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT
-#define WANT_STRTOUI 1
-#define strtouid (uid_t)strtoui
-#else
-#error unable to find implementation for strtouid()
-#endif
-
-/* provide strtouid() function alias */
-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT
-#define strtogid (gid_t)strtoul
-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT
-#define strtogid (gid_t)strtoull
-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT
-#ifndef WANT_STRTOUI
-#define WANT_STRTOUI 1
-#endif
-#define strtogid (uid_t)strtoui
-#else
-#error unable to find implementation for strtogid()
-#endif
+uint32_t strtoid(const char *nptr,char **endptr,int base);
+#define strtouid (uid_t)strtoid
+#define strtogid (gid_t)strtoid
#ifdef WANT_STRTOUI
/* provide a strtoui() if it is needed */

36
SOURCES/nss-pam-ldapd-0.8.12-validname.patch Normal file
View File

@ -0,0 +1,36 @@
Defaults changed to allow opening and closing parentheses everywhere. Defaults
changed again to make characters after the first optional, and again to go back
to disallowing names which end with "\".
--- man/nslcd.conf.5.xml
+++ man/nslcd.conf.5.xml
@@ -712,7 +712,7 @@
characters and the 'i' flag may be appended at the end to indicate
that the match should be case-insensetive.
The default value is
- <literal>/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i</literal>
+ <literal>/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i</literal>
</para>
</listitem>
</varlistentry>
--- nslcd/cfg.c
+++ nslcd/cfg.c
@@ -134,7 +134,7 @@ static void cfg_defaults(struct ldap_con
cfg->ldc_pam_authz_search[i]=NULL;
cfg->ldc_nss_min_uid=0;
parse_validnames_statement(__FILE__,__LINE__,"",
- "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg);
+ "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg);
cfg->pam_password_prohibit_message=NULL;
}
--- tests/test_common.c
+++ tests/test_common.c
@@ -39,6 +39,8 @@ static void test_isvalidname(void)
assert(!isvalidname("\\foo\\bar"));
assert(!isvalidname("foo\\bar\\"));
assert(isvalidname("me")); /* try short name */
+ assert(isvalidname("f"));
+ assert(isvalidname("(foo bar)"));
}
/* the main program... */

46
SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch Normal file
View File

@ -0,0 +1,46 @@
From e34fccc883e1fb6e7c0e1663e11ff9f96191971f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 27 Jan 2014 17:04:32 +0100
Subject: [PATCH 1/2] Fix use after free in read_hostent and read_netent.

if NSS_STATUS_TRYAGAIN is returned from read_one_hostent or
read_one_netent function tio_skipall will be called with NULL pointer
It could happend in functions:
_nss_ldap_getnetbyname_r
_nss_ldap_getnetbyaddr_r
_nss_ldap_gethostbyname2_r
_nss_ldap_gethostbyaddr_r
---
nss/hosts.c | 2 --
nss/networks.c | 2 --
2 files changed, 4 deletions(-)

diff --git a/nss/hosts.c b/nss/hosts.c
index 86b6a77..0e7027e 100644
--- a/nss/hosts.c
+++ b/nss/hosts.c
@@ -51,8 +51,6 @@
#undef ERROR_OUT_BUFERROR
#define ERROR_OUT_BUFERROR(fp) \
- (void)tio_close(fp); \
- fp=NULL; \
*errnop=ERANGE; \
*h_errnop=TRY_AGAIN; \
return NSS_STATUS_TRYAGAIN;
diff --git a/nss/networks.c b/nss/networks.c
index 859ef0e..1403b45 100644
--- a/nss/networks.c
+++ b/nss/networks.c
@@ -51,8 +51,6 @@
#undef ERROR_OUT_BUFERROR
#define ERROR_OUT_BUFERROR(fp) \
- (void)tio_close(fp); \
- fp=NULL; \
*errnop=ERANGE; \
*h_errnop=TRY_AGAIN; \
return NSS_STATUS_TRYAGAIN;
--
1.8.5.3

41
SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch Normal file
View File

@ -0,0 +1,41 @@
From ec86b3d715ae9583288b12686a0552586caa6270 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 27 Jan 2014 17:17:33 +0100
Subject: [PATCH 2/2] Use right h_errnop for retrying with larger buffer.

The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when
it needs to try again with a larger buffer.
---
nss/hosts.c | 2 +-
nss/networks.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nss/hosts.c b/nss/hosts.c
index 0e7027e..2bf4c86 100644
--- a/nss/hosts.c
+++ b/nss/hosts.c
@@ -52,7 +52,7 @@
#undef ERROR_OUT_BUFERROR
#define ERROR_OUT_BUFERROR(fp) \
*errnop=ERANGE; \
- *h_errnop=TRY_AGAIN; \
+ *h_errnop=NETDB_INTERNAL; \
return NSS_STATUS_TRYAGAIN;
#undef ERROR_OUT_WRITEERROR
diff --git a/nss/networks.c b/nss/networks.c
index 1403b45..f3cb269 100644
--- a/nss/networks.c
+++ b/nss/networks.c
@@ -52,7 +52,7 @@
#undef ERROR_OUT_BUFERROR
#define ERROR_OUT_BUFERROR(fp) \
*errnop=ERANGE; \
- *h_errnop=TRY_AGAIN; \
+ *h_errnop=NETDB_INTERNAL; \
return NSS_STATUS_TRYAGAIN;
#undef ERROR_OUT_WRITEERROR
--
1.8.5.3

17
SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch Normal file
View File

@ -0,0 +1,17 @@
diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password nss-pam-ldapd-0.8.13/nslcd/myldap.c
--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password 2017-10-24 12:04:22.275105596 +0200
+++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:04:39.355175121 +0200
@@ -967,6 +967,13 @@ static int do_retry_search(MYLDAP_SEARCH
/* try to start the search */
pthread_mutex_unlock(&uris_mutex);
rc=do_try_search(search);
+ /* if we are authenticating a user and get an error regarding failed
+ password we should error out instead of trying all servers */
+ if ((search->session->binddn[0] != '\0') && (rc == LDAP_INVALID_CREDENTIALS))
+ {
+ do_close(search->session);
+ return rc;
+ }
if (rc==LDAP_SUCCESS)
{
pthread_mutex_lock(&uris_mutex);

35
SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch Normal file
View File

@ -0,0 +1,35 @@
diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password nss-pam-ldapd-0.8.13/nslcd/myldap.c
--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password 2017-10-24 12:38:29.315411416 +0200
+++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:38:52.727517587 +0200
@@ -88,7 +88,7 @@ struct ldap_session
/* the username to bind with */
char binddn[256];
/* the password to bind with if any */
- char bindpw[64];
+ char bindpw[128];
/* timestamp of last activity */
time_t lastactivity;
/* index into ldc_uris: currently connected LDAP uri */
diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password nss-pam-ldapd-0.8.13/nslcd/pam.c
--- nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password 2017-10-24 12:39:50.761780765 +0200
+++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-24 12:41:15.083163153 +0200
@@ -246,7 +246,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SES
int rc;
char username[256];
char servicename[64];
- char password[64];
+ char password[128];
const char *userdn;
MYLDAP_ENTRY *entry;
int authzrc=NSLCD_PAM_SUCCESS;
@@ -617,8 +617,8 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SES
char userdn[256];
int asroot;
char servicename[64];
- char oldpassword[64];
- char newpassword[64];
+ char oldpassword[128];
+ char newpassword[128];
const char *binddn=NULL; /* the user performing the modification */
MYLDAP_ENTRY *entry;
char authzmsg[1024];

98
SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch Normal file
View File

@ -0,0 +1,98 @@
diff -up nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/group.c
--- nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100
+++ nss-pam-ldapd-0.8.13/nslcd/group.c 2017-10-24 14:17:27.489696761 +0200
@@ -109,10 +109,8 @@ static int mkfilter_group_bygid(gid_t gi
}
else
{
- return mysnprintf(buffer,buflen,
- "(&%s(%s=%d))",
- group_filter,
- attmap_group_gidNumber,(int)gid);
+ return mysnprintf(buffer,buflen,"(&%s(%s=%lu))",
+ group_filter,attmap_group_gidNumber,(unsigned long int)gid);
}
}
diff -up nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/nslcd.c
--- nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting 2017-10-24 14:17:05.117590857 +0200
+++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2017-10-24 14:17:27.490696766 +0200
@@ -402,8 +402,8 @@ static void handleconnection(int sock,MY
if (getpeercred(sock,&uid,&gid,&pid))
log_log(LOG_DEBUG,"connection from unknown client: %s",strerror(errno));
else
- log_log(LOG_DEBUG,"connection from pid=%d uid=%d gid=%d",
- (int)pid,(int)uid,(int)gid);
+ log_log(LOG_DEBUG,"connection from pid=%lu uid=%lu gid=%lu",
+ (unsigned long int)pid,(unsigned long int)uid,(unsigned long int)gid);
/* create a stream object */
if ((fp=tio_fdopen(sock,READ_TIMEOUT,WRITE_TIMEOUT,
READBUFFER_MINSIZE,READBUFFER_MAXSIZE,
@@ -519,7 +519,7 @@ static void create_pidfile(const char *f
log_log(LOG_ERR,"cannot truncate pid file (%s): %s",filename,strerror(errno));
exit(EXIT_FAILURE);
}
- mysnprintf(buffer,sizeof(buffer),"%d\n",(int)getpid());
+ mysnprintf(buffer,sizeof(buffer),"%lu\n",(unsigned long int)getpid());
if (write(fd,buffer,strlen(buffer))!=(int)strlen(buffer))
{
log_log(LOG_ERR,"error writing pid file (%s): %s",filename,strerror(errno));
@@ -755,11 +755,11 @@ int main(int argc,char *argv[])
#ifdef HAVE_INITGROUPS
/* load supplementary groups */
if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0)
- log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s",
- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid,strerror(errno));
+ log_log(LOG_WARNING,"cannot initgroups(\"%s\",%lu) (ignored): %s",
+ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid,strerror(errno));
else
- log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done",
- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid);
+ log_log(LOG_DEBUG,"initgroups(\"%s\",%lu) done",
+ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid);
#else /* not HAVE_INITGROUPS */
#ifdef HAVE_SETGROUPS
/* just drop all supplemental groups */
@@ -777,20 +777,22 @@ int main(int argc,char *argv[])
{
if (setgid(nslcd_cfg->ldc_gid)!=0)
{
- log_log(LOG_ERR,"cannot setgid(%d): %s",(int)nslcd_cfg->ldc_gid,strerror(errno));
+ log_log(LOG_ERR,"cannot setgid(%lu): %s",
+ (unsigned long int)nslcd_cfg->ldc_gid,strerror(errno));
exit(EXIT_FAILURE);
}
- log_log(LOG_DEBUG,"setgid(%d) done",(int)nslcd_cfg->ldc_gid);
+ log_log(LOG_DEBUG,"setgid(%lu) done",(unsigned long int)nslcd_cfg->ldc_gid);
}
/* change to nslcd uid */
if (nslcd_cfg->ldc_uid!=NOUID)
{
if (setuid(nslcd_cfg->ldc_uid)!=0)
{
- log_log(LOG_ERR,"cannot setuid(%d): %s",(int)nslcd_cfg->ldc_uid,strerror(errno));
+ log_log(LOG_ERR,"cannot setuid(%lu): %s",
+ (unsigned long int)nslcd_cfg->ldc_uid,strerror(errno));
exit(EXIT_FAILURE);
}
- log_log(LOG_DEBUG,"setuid(%d) done",(int)nslcd_cfg->ldc_uid);
+ log_log(LOG_DEBUG,"setuid(%lu) done",(unsigned long int)nslcd_cfg->ldc_uid);
}
/* block all these signals so our worker threads won't handle them */
sigemptyset(&signalmask);
diff -up nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/passwd.c
--- nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100
+++ nss-pam-ldapd-0.8.13/nslcd/passwd.c 2017-10-24 14:17:27.490696766 +0200
@@ -115,10 +115,8 @@ static int mkfilter_passwd_byuid(uid_t u
}
else
{
- return mysnprintf(buffer,buflen,
- "(&%s(%s=%d))",
- passwd_filter,
- attmap_passwd_uidNumber,(int)uid);
+ return mysnprintf(buffer,buflen, "(&%s(%s=%lu))",
+ passwd_filter,attmap_passwd_uidNumber,(unsigned long int)uid);
}
}

24
SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list nss-pam-ldapd-0.8.13/man/nslcd.conf.5
--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list 2017-10-24 14:08:54.429271306 +0200
+++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5 2017-10-24 14:09:31.691444445 +0200
@@ -46,7 +46,7 @@ Note that you should use values that don
to resolve.
.SS "GENERAL CONNECTION OPTIONS"
.TP
-\*(T<\fBuri\fR\*(T> \fIURI\fR
+\*(T<\fBuri\fR\*(T> \fIURI\fR ...
Specifies the LDAP URI of the
server to connect to.
The URI scheme may be \*(T<ldap\*(T>,
@@ -66,8 +66,9 @@ When using the ldapi scheme, %2f should
(e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the
time this should not be needed.
-This option may be specified multiple times. Normally, only the first
-server will be used with the following servers as fall-back (see
+This option may be specified multiple times and/or with more URIs on the
+line, separated by space. Normally, only the first server will be used
+with the following servers as fall-back (see
\*(T<\fBbind_timelimit\fR\*(T> below).
If LDAP lookups are used for host name resolution,

10
SOURCES/nss-pam-ldapd-exitcode.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode nss-pam-ldapd-0.8.14/nslcd/nslcd.c
--- nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode 2017-02-08 09:52:39.687834074 +0100
+++ nss-pam-ldapd-0.8.14/nslcd/nslcd.c 2017-02-08 09:52:54.630891580 +0100
@@ -866,5 +866,5 @@ int main(int argc,char *argv[])
log_log(LOG_ERR,"thread %d is still running, shutting down anyway",i);
}
/* we're done */
- return EXIT_FAILURE;
+ return EXIT_SUCCESS;
}

30
SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch Normal file
View File

@ -0,0 +1,30 @@
diff -up nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect
--- nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs 2014-01-20 15:32:33.253018468 +0100
+++ nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect 2014-01-20 15:38:00.452957296 +0100
@@ -40,7 +40,7 @@ proc reset_password {} {
expect {
"LDAP administrator password" { send "test\r"; exp_continue }
-regexp "(New|Retype new) password:" { send "test\r"; exp_continue }
- "password updated successfully" {}
+ "passwd: all authentication tokens updated successfully" {}
"Invalid credentials" abort
"Authentication token manipulation error" abort
default abort
@@ -114,7 +114,7 @@ proc test_login_unknown {uid passwd} {
expect {
"Password:" { send "$passwd\r"; exp_continue }
"Unknown id" {}
- "No passwd entry for user" {}
+ "su: user $uid does not exist" {}
"\$ " abort
default abort
}
@@ -156,7 +156,7 @@ expect {
}
expect {
-regexp "(New|Retype new) password:" { send "newpassword\r"; exp_continue }
- "password updated successfully" {}
+ "passwd: all authentication tokens updated successfully" {}
"Invalid credentials" abort
"Authentication token manipulation error" abort
"\$ " abort

640
SPECS/nss-pam-ldapd.spec Normal file
View File

@ -0,0 +1,640 @@
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
%global systemd 1
%global sysvinit 0
%else
%global systemd 0
%global sysvinit 1
%endif

# Fedora had these in F18, but we didn't cut over to use them until after F18
# was frozen, so pretend it didn't happen until F19.
%if 0%{?fedora} > 18 || 0%{?rhel} > 6
%global systemd_macros 1
%else
%global systemd_macros 0
%endif

%if 0%{?fedora} > 14 || 0%{?rhel} > 6
%global tmpfiles 1
%else
%global tmpfiles 0
%endif

# Fedora had it in F17, but moving things around in already-released versions
# is a bad idea, so pretend it didn't happen until F19.
%if 0%{?fedora} > 18 || 0%{?rhel} > 6
%global separate_usr 0
%global nssdir %{_libdir}
%global pamdir %{_libdir}/security
%else
%global separate_usr 1
%global nssdir /%{_lib}
%global pamdir /%{_lib}/security
%endif

# For distributions that support it, build with RELRO
%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
%endif

Name: nss-pam-ldapd
Version: 0.8.13
Release: 16%{?dist}
Summary: An nsswitch module which uses directory servers
Group: System Environment/Base
License: LGPLv2+
URL: http://arthurdejong.org/nss-pam-ldapd/
Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz
Source1: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig
Source2: nslcd.init
Source3: nslcd.tmpfiles
Source4: nslcd.service
Patch1: nss-pam-ldapd-0.8.12-validname.patch
Patch2: nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch
Patch3: nss-pam-ldapd-0.8.12-uid-overflow.patch
Patch4: nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch
Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch
Patch6: nss-pam-ldapd-rh-msgs-in-tests.patch
Patch7: nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch
Patch8: nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch
Patch9: nss-pam-ldapd-exitcode.patch
Patch10: nss-pam-ldapd-0.8.12-str-cmp.patch
Patch11: nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch
Patch12: nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch
Patch13: nss-pam-ldapd-0.8.13-uri-man-fix.patch
Patch14: nss-pam-ldapd-0.8.13-uid_formatting.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: openldap-devel, krb5-devel
BuildRequires: autoconf, automake
BuildRequires: pam-devel
Obsoletes: nss-ldapd < 0.7
Provides: nss-ldapd = %{version}-%{release}

# Obsolete PADL's nss_ldap
Provides: nss_ldap = 265-12
Obsoletes: nss_ldap < 265-11

%if 0%{?fedora} > 18 || 0%{?rhel} > 6
# Obsolete PADL's pam_ldap
Provides: pam_ldap = 185-15
Obsoletes: pam_ldap < 185-15
%global build_pam_ldap 1
%else
# Pull in the pam_ldap module, which is its own package in F14 and later, to
# keep upgrades from removing the module. We used to disable nss-pam-ldapd's
# own pam_ldap.so when it wasn't mature enough.
Requires: pam_ldap%{?_isa}
%global build_pam_ldap 0
%endif

# Pull in nscd, which is recommended.
Requires: nscd
%if %{sysvinit}
Requires(post): /sbin/ldconfig, chkconfig, grep, sed
Requires(preun): chkconfig, initscripts
Requires(postun): /sbin/ldconfig, initscripts
%endif
%if %{systemd}
BuildRequires: systemd-units
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(post): systemd-sysv
%endif

%description
The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name
service information (users, groups, etc.) on behalf of a lightweight
nsswitch module.

%prep
%setup -q
%patch1 -p0 -b .validname
%patch2 -p1 -b .epipe
%patch3 -p1 -b .overflow
%patch4 -p1 -b .skiptimeout
%patch5 -p1 -b .readall
%patch6 -p1 -b .test_msgs
%patch7 -p1 -b .use_after_free
%patch8 -p1 -b .errnop_val
%patch9 -p1 -b .exit_code
%patch10 -p1 -b .str_cmp
%patch11 -p1 -b .avoid_lockout_on_bad_password
%patch12 -p1 -b .long_password
%patch13 -p1 -b .uri_list
%patch14 -p1 -b .uid_formatting
autoreconf -f -i

%build
CFLAGS="$RPM_OPT_FLAGS -fPIC" ; export CFLAGS
%configure --libdir=%{nssdir} \
%if %{build_pam_ldap}
--with-pam-seclib-dir=%{pamdir}
%else
--disable-pam
%endif
make %{?_smp_mflags}

%check
make check

%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/{%{_initddir},%{_libdir},%{_unitdir}}
%if %{sysvinit}
install -p -m755 %{SOURCE2} $RPM_BUILD_ROOT/%{_initddir}/nslcd
%endif
%if %{systemd}
install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/
%endif

%if 0%{?fedora} > 13 || 0%{?rhel} > 5
%if %{separate_usr}
# Follow glibc's convention and provide a .so symlink so that people who know
# what to expect can link directly with the module.
if test %{_libdir} != /%{_lib} ; then
touch $RPM_BUILD_ROOT/rootfile
relroot=..
while ! test -r $RPM_BUILD_ROOT/%{_libdir}/$relroot/rootfile ; do
relroot=../$relroot
done
ln -s $relroot/%{_lib}/libnss_ldap.so.2 \
$RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so
rm $RPM_BUILD_ROOT/rootfile
fi
%else
ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{nssdir}/libnss_ldap.so
%endif
%endif

sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \
$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf
mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd
%if %{tmpfiles}
mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir}
install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf
%endif

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root)
%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO
%{_sbindir}/*
%{nssdir}/*.so.*
%if %{build_pam_ldap}
%{pamdir}/pam_ldap.so
%endif
%{_mandir}/*/*
%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf
%if %{tmpfiles}
%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf
%endif
%if %{sysvinit}
%attr(0755,root,root) %{_initddir}/nslcd
%endif
%if %{systemd}
%config(noreplace) %{_unitdir}/*
%endif
%attr(0755,nslcd,root) /var/run/nslcd
%if 0%{?fedora} > 13 || 0%{?rhel} > 5
# This would be the only thing in the -devel subpackage, so we include it. It
# will conflict with nss_ldap, so only include it for releases where pam_ldap is
# its own package.
/%{_libdir}/*.so
%endif

%pre
getent group ldap > /dev/null || \
/usr/sbin/groupadd -r -g 55 ldap
getent passwd nslcd > /dev/null || \
/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \
-u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || :

%post
# The usual stuff.
%if %{sysvinit}
/sbin/chkconfig --add nslcd
%endif
%if %{systemd}
%if %{systemd_macros}
%systemd_post nslcd.service
%else
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
%endif
%endif
/sbin/ldconfig
# Import important non-default settings from nss_ldap or pam_ldap configuration
# files, but only the first time this package is installed.
comment="This comment prevents repeated auto-migration of settings."
if test -s /etc/nss-ldapd.conf ; then
source=/etc/nss-ldapd.conf
elif test -s /etc/nss_ldap.conf ; then
source=/etc/nss_ldap.conf
elif test -s /etc/pam_ldap.conf ; then
source=/etc/pam_ldap.conf
else
source=/etc/ldap.conf
fi
target=/etc/nslcd.conf
if test "$1" -eq "1" && ! grep -q -F "# $comment" $target 2> /dev/null ; then
# Try to make sure we only do this the first time.
echo "# $comment" >> $target
if grep -E -q '^uri[[:blank:]]' $source 2> /dev/null ; then
# Comment out the packaged default host/uri and replace it...
sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target
# ... with the uri.
grep -E '^uri[[:blank:]]' $source >> $target
elif grep -E -q '^host[[:blank:]]' $source 2> /dev/null ; then
# Comment out the packaged default host/uri and replace it...
sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target
# ... with the "host" reformatted as a URI.
scheme=ldap
# check for 'ssl on', which means we want to use ldaps://
if grep -E -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then
scheme=ldaps
fi
grep -E '^host[[:blank:]]' $source |\
sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target
fi
# Base doesn't require any special logic.
if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then
# Comment out the packaged default base and replace it.
sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target
grep -E '^base[[:blank:]]' $source >> $target
fi
# Pull in these settings, if they're set, directly.
grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target
grep -E '^(tls_)' $source 2> /dev/null >> $target
grep -E '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target
fi
# If this is the first time we're being installed, and the system is already
# configured to use LDAP as a naming service, enable the daemon, but don't
# start it since we can never know if that's a safe thing to do. If this
# is an upgrade, leave the user's runlevel selections alone.
if [ "$1" -eq "1" ]; then
if grep -E -q '^USELDAP=yes$' /etc/sysconfig/authconfig 2> /dev/null ; then
%if %{sysvinit}
/sbin/chkconfig nslcd on
%endif
%if %{systemd}
/bin/systemctl --no-reload enable nslcd.service >/dev/null 2>&1 ||:
%endif
fi
fi
# Earlier versions of 0.7.6 of this package would have included both 'gid
# nslcd' (a group which doesn't exist) and 'gid ldap' (which we ensure exists).
# If we detect both, fix the configuration.
if grep -q '^gid nslcd' $target ; then
if grep -q '^gid ldap' $target ; then
sed -i -e 's,^gid nslcd$,# gid nslcd,g' $target
fi
fi
# In 0.8.4, the name of the attribute which was expected to contain the DNs of
# a group's members changed from "uniqueMember" to "member". Change any
# instances of "map group uniqueMember ..." to "map group member ...", unless
# "member" is already being mapped, in which case attempting this would
# probably just confuse things further.
if grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]]" $target ; then
if ! grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+member[[:blank:]]" $target ; then
sed -i -r -e "s,^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]](.*),map group member \1,g" $target
fi
fi
# Create the daemon's /var/run directory if it isn't there.
if ! test -d /var/run/nslcd ; then
mkdir -p -m 0755 /var/run/nslcd
fi
exit 0

%preun
if [ "$1" -eq "0" ]; then
%if %{sysvinit}
/sbin/service nslcd stop >/dev/null 2>&1
/sbin/chkconfig --del nslcd
%endif
%if %{systemd}
%if %{systemd_macros}
%systemd_preun nslcd.service
%else
/bin/systemctl --no-reload disable nslcd.service > /dev/null 2>&1 || :
/bin/systemctl stop nslcd.service > /dev/null 2>&1 || :
%endif
%endif
fi
exit 0

%postun
/sbin/ldconfig
%if %{sysvinit}
if [ "$1" -ge "1" ]; then
/etc/rc.d/init.d/nslcd condrestart >/dev/null 2>&1
fi
%endif
%if %{systemd}
%if %{systemd_macros}
%systemd_postun_with_restart nslcd.service
%else
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" ]; then
/bin/systemctl try-restart nslcd.service >/dev/null 2>&1
fi
%endif
%endif
exit 0

%if %{systemd}
%triggerun -- nss-pam-ldapd < 0.7.13-6
# Save the current service runlevel info, in case the user wants to apply
# the enabled status manually later, by running
# "systemd-sysv-convert --apply nslcd".
%{_bindir}/systemd-sysv-convert --save nslcd >/dev/null 2>&1 ||:
# Do this because the old package's %%postun doesn't know we need to do it.
/sbin/chkconfig --del nslcd >/dev/null 2>&1 || :
# Do this because the old package's %%postun wouldn't have tried.
/bin/systemctl try-restart nslcd.service >/dev/null 2>&1 || :
exit 0
%endif

%changelog
* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-16
- Resolves: rhbz#1151675 - NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID
IS WRONG (AND A NEGATIVE NUMBER)

* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-15
- Resolves: rhbz#1204202 - fix doc to describe actual uri format in
nslcd.conf

* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-14
- Resolves: rhbz#1288429 - /etc/tmpfiles.d/nss-pam-ldapd.conf shipped when
/etc/tmpfiles.d is reserved for the local
administrator

* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-13
- Resolves: rhbz#1312297 - nslcd.service does not restart on failure

* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-12
- Resolves: rhbz#1425790 - Unable to authenticate with 64 character password
using nss-pam-ldapd

* Tue Oct 24 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-11
- Resolves: rhbz#1497761 - Incorrect password tries to bind to all domain
controllers and locks user out

* Mon Oct 23 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-10
- Resolves: rhbz#1357493 - In RHEL 7, authentication failing when using
nslcd + pam_ldap where user has different in
nis/passwd and ldap.

* Mon Oct 23 2017 Jakub Hrozek <jhrozek@redhat.com> - 0.8.13-9
- Resolves: rhbz#1420576 - 'systemctl status nslcd' always returns FAILURE
status even though the service is stopped with
'systemctl stop nslcd

* Wed Jan 29 2014 Jakub Hrozek <jhrozek@redhat.com> 0.8.13-8
- Fix a potential use-after-free in nsswitch module
- Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.8.13-7
- Mass rebuild 2014-01-24

* Mon Jan 20 2014 Jakub Hrozek <jhrozek@redhat.com> 0.8.13-6
- Change the error messages the tests expect to those printed on RH based
systems
- Resolves: rhbz#1044482

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.8.13-5
- Mass rebuild 2013-12-27

* Fri Oct 18 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.13-4
- compile nslcd/log.c with -fPIC instead of the current hardened-build default
of -fPIE, which doesn't seem to avoid relocations for its thread-local
variables on s390x (#1002834)

* Sat Oct 05 2013 Jakub Hrozek <jhrozek@redhat.com> 0.8.13-3
- Suppress Broken Pipe messages when requesting a large groupo
- Resolves: rhbz#1002829

* Wed Jul 31 2013 Jakub Hrozek <jhrozek@redhat.com> 0.8.13-2
- Build with _hardened_build macro

* Mon May 6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.13-1
- update to 0.8.13
- correct a syntax error in the fix that was added for #832706

* Tue Apr 30 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-4
- in %%post, attempt to rewrite any instances of "map group uniqueMember ..."
to be "map group member ..." in nslcd.conf, as the attribute name changed
in 0.8.4 (via freeipa ticket #3589)

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.12-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Fri Jan 18 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-2
- drop local patch to make the client flush some more read buffers

* Fri Jan 18 2013 Nalin Dahyabhai <nalin@redhat.com> 0.8.12-1
- update to 0.8.12 (#846793)
- make building pam_ldap conditional on the targeted release
- add "After=named.service dirsrv.target slapd.service" to nslcd.service,
to make sure that nslcd is started after them if they're to be started
on the local system (#832706)
- alter the versioned Obsoletes: on pam_ldap to include the F18 package
- use %%{_unitdir} when deciding where to put systemd configuration, based
on patch from Václav Pavlín (#850232)
- use new systemd macros for scriptlet hooks, when available, based on
patch from Václav Pavlín (#850232)

* Sun Sep 09 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.17-1
- new upstream release 0.7.17

* Sun Aug 05 2012 Jakub Hrozek <jhrozek@redhat.com> - 0.7.16-5
- Obsolete PADL's nss_ldap

* Sat Aug 04 2012 Jakub Hrozek <jhrozek@redhat.com> - 0.7.16-4
- Build the PAM module, obsoletes PADL's pam-ldap (#856006)

* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.16-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Mon May 14 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.16-2
- backport upstream revision r1659 related to broken pipe when
requesting a large group
- use grep -E instead of egrep to avoid rpmlint warnings

* Sat Apr 28 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.16-1
- new upstream release 0.7.16

* Thu Mar 15 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.15-2
- Do not print "Broken Pipe" error message when requesting a large group

* Fri Mar 9 2012 Jakub Hrozek <jhrozek@redhat.com> 0.7.15-1
- new upstream release 0.7.15

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Fri Dec 16 2011 Jakub Hrozek <jhrozek@redhat.com> 0.7.14-2
- Do not overflow large UID/GID values on 32bit architectures

* Mon Nov 28 2011 Nalin Dahyabhai <nalin@redhat.com>
- use the same conditional test for deciding when to create the .so symlink as
we do later on for deciding when to include it in the package (#757004)

* Fri Sep 23 2011 Jakub Hrozek <jhrozek@redhat.com> 0.7.14-1
- new upstream release 0.7.14
- obsoletes nss-pam-ldapd-0.7.x-buffers.patch

* Wed Aug 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-8
- include backported enhancement to take URIs in the form "dns:DOMAIN" in
addition to the already-implemented "dns" (#730309)

* Thu Jul 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-7
- switch to only munging the contents of /etc/nslcd.conf on the very first
install (#706454)
- make sure that we have enough space to parse any valid GID value when
parsing a user's primary GID (#716822)
- backport support for the "validnames" option from SVN and use it to allow
parentheses characters by modifying the default setting (#690870), then
modify the default again to also allow shorter and shorter names to pass
muster (#706860)

* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-6
- convert to systemd-native startup (#716997)

* Mon Jun 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-5
- change the file path Requires: we have for pam_ldap into a package name
Requires: (#601931)

* Wed Mar 30 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-4
- tag nslcd.conf with %%verify(not md5 size mtime), since we always tweak
it in %%post (#692225)

* Tue Mar 1 2011 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-3
- add a tmpfiles configuration to ensure that /var/run/nslcd is created when
/var/run is completely empty at boot (#656643)

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Dec 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.13-1
- update to 0.7.13

* Fri Oct 29 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.12-1
- update to 0.7.12

* Fri Oct 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.11-1
- update to 0.7.11

* Wed Sep 29 2010 jkeating - 0.7.10-2
- Rebuilt for gcc bug 634757

* Fri Sep 24 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.10-1
- update to 0.7.10

* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.9-2
- when creating /var/run/nslcd in the buildroot, specify that 0755 is a
permissions value and not another directory name (#636880)

* Mon Aug 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.9-1
- update to 0.7.9

* Wed Aug 18 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.8-1
- update to 0.7.8

* Wed Jul 7 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.7-1
- update to 0.7.7

* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-3
- don't accidentally set multiple 'gid' settings in nslcd.conf, and try to
clean up after older versions of this package that did (#608314)

* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-2
- make inclusion of the .so symlink conditional on being on a sufficiently-
new Fedora where pam_ldap isn't part of the nss_ldap package, so having
this package conflict with nss_ldap doesn't require that pam_ldap be
removed (#596691)

* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.6-1
- update to 0.7.6

* Mon May 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-3
- switch to the upstream patch for #592411

* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-2
- don't return an uninitialized buffer as the value for an optional attribute
that isn't present in the directory server entry (#592411)

* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.5-1
- update to 0.7.5

* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.4-1
- update to 0.7.4
- stop trying to migrate retry timeout parameters from old ldap.conf files
- add an explicit requires: on nscd to make sure it's at least available on
systems that are using nss-pam-ldapd; otherwise it's usually optional

* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.3-1
- update to 0.7.3

* Thu Feb 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.2-2
- bump release for post-review commit

* Thu Feb 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.7.2-1
- add comments about why we have a .so link at all, and not a -devel subpackage

* Wed Jan 13 2010 Nalin Dahyabhai <nalin@redhat.com>
- obsolete/provides nss-ldapd
- import configuration from nss-ldapd.conf, too

* Tue Jan 12 2010 Nalin Dahyabhai <nalin@redhat.com>
- rename to nss-pam-ldapd
- also check for import settings in /etc/nss_ldap.conf and /etc/pam_ldap.conf

* Thu Sep 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.11-2
- rebuild

* Wed Sep 16 2009 Nalin Dahyabhai <nalin@redhat.com>
- apply Mitchell Berger's patch to clean up the init script, use %%{_initddir},
and correct the %%post so that it only thinks about turning on nslcd when
we're first being installed (#522947)
- tell status() where the pidfile is when the init script is called for that

* Tue Sep 8 2009 Nalin Dahyabhai <nalin@redhat.com>
- fix typo in a comment, capitalize the full name for "LDAP Client User" (more
from #516049)

* Wed Sep 2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.11-1
- update to 0.6.11

* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.10-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Jun 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-3
- update URL: and Source:

* Mon Jun 15 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-2
- add and own /var/run/nslcd
- convert hosts to uri during migration

* Thu Jun 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.10-1
- update to 0.6.10

* Fri Apr 17 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.8-1
- bump release number to 1 (part of #491767)
- fix which group we check for during %%pre (part of #491767)

* Tue Mar 24 2009 Nalin Dahyabhai <nalin@redhat.com>
- require chkconfig by package rather than path (Jussi Lehtola, part of #491767)

* Mon Mar 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.8-0.1
- update to 0.6.8

* Mon Mar 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.7-0.1
- start using a dedicated user

* Wed Mar 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6.7-0.0
- initial package (#445965)