From 0479a63b691b471aa0ba4f1aad672d902f637edc Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Wed, 6 Jun 2018 01:35:27 +0200 Subject: [PATCH] nss-pam-ldapd package update Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/nslcd.init | 86 +++ SOURCES/nslcd.service | 14 + SOURCES/nslcd.tmpfiles | 2 + ...-nslcd-log-EPIPE-only-on-debug-level.patch | 30 + ...-when-skipping-remaining-result-data.patch | 111 +++ ...low-on-interrupted-read-thanks-John-.patch | 39 ++ SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch | 12 + .../nss-pam-ldapd-0.8.12-uid-overflow.patch | 77 +++ SOURCES/nss-pam-ldapd-0.8.12-validname.patch | 36 + ...free-in-read_hostent-and-read_netent.patch | 46 ++ ...rnop-for-retrying-with-larger-buffer.patch | 41 ++ ...0.8.13-avoid-lockout-on-bad-password.patch | 17 + ...0.8.13-password-longer-than-64-chars.patch | 35 + .../nss-pam-ldapd-0.8.13-uid_formatting.patch | 98 +++ .../nss-pam-ldapd-0.8.13-uri-man-fix.patch | 24 + SOURCES/nss-pam-ldapd-exitcode.patch | 10 + SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch | 30 + SPECS/nss-pam-ldapd.spec | 640 ++++++++++++++++++ 18 files changed, 1348 insertions(+) create mode 100644 SOURCES/nslcd.init create mode 100644 SOURCES/nslcd.service create mode 100644 SOURCES/nslcd.tmpfiles create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.12-validname.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch create mode 100644 SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch create mode 100644 SOURCES/nss-pam-ldapd-exitcode.patch create mode 100644 SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch create mode 100644 SPECS/nss-pam-ldapd.spec diff --git a/SOURCES/nslcd.init b/SOURCES/nslcd.init new file mode 100644 index 00000000..1f5fe111 --- /dev/null +++ b/SOURCES/nslcd.init @@ -0,0 +1,86 @@ +#!/bin/sh +# +# chkconfig: - 12 88 +# description: Provides naming services using a directory server. +# processname: /usr/sbin/nslcd +# config: /etc/nslcd.conf +# pidfile: /var/run/nslcd/nslcd.pid +# + +### BEGIN INIT INFO +# Provides: nslcd +# Required-Start: $network +# Required-Stop: +# Default-Start: +# Default-Stop: +# Short-Description: naming services LDAP client daemon +# Description: Provides naming services using a directory server. +### END INIT INFO + +program=/usr/sbin/nslcd +prog=${program##*/} +pidfile=/var/run/nslcd/nslcd.pid + +if [ -f /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +fi + +RETVAL=0 + +start() { + echo -n $"Starting $prog: " + daemon $program + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + killproc $program + RETVAL=$? + echo + if [ $RETVAL -eq 0 ]; then + rm -f /var/lock/subsys/$prog + fi +} + +restart() { + stop + start +} + +# See how we were called. +case "$1" in + start) + [ -f /var/lock/subsys/$prog ] && exit 0 + $1 + ;; + stop) + [ -f /var/lock/subsys/$prog ] || exit 0 + $1 + ;; + restart) + $1 + ;; + status) + status -p $pidfile $program + RETVAL=$? + ;; + condrestart|try-restart) + [ -f /var/lock/subsys/$prog ] && restart || : + ;; + reload) + echo "can't reload configuration, you have to restart it" + RETVAL=3 + ;; + force-reload) + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 1 + ;; +esac +exit $RETVAL diff --git a/SOURCES/nslcd.service b/SOURCES/nslcd.service new file mode 100644 index 00000000..61ae1fd4 --- /dev/null +++ b/SOURCES/nslcd.service @@ -0,0 +1,14 @@ +[Unit] +Description=Naming services LDAP client daemon. +After=syslog.target network.target named.service dirsrv.target slapd.service +Documentation=man:nslcd(8) man:nslcd.conf(5) + +[Service] +Type=forking +PIDFile=/var/run/nslcd/nslcd.pid +ExecStart=/usr/sbin/nslcd +RestartSec=10s +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/nslcd.tmpfiles b/SOURCES/nslcd.tmpfiles new file mode 100644 index 00000000..2230173e --- /dev/null +++ b/SOURCES/nslcd.tmpfiles @@ -0,0 +1,2 @@ +# nslcd needs a directory in /var/run to store its pid file and socket +d /var/run/nslcd 0755 nslcd root diff --git a/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch new file mode 100644 index 00000000..ff84f946 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch @@ -0,0 +1,30 @@ +From ec2ac2cc7eaa945f3d07d2528ddd4b8d9b8d38e1 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:14:39 +0000 +Subject: [PATCH 3/3] in nslcd, log EPIPE only on debug level (4897033 from + 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2032 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + nslcd/common.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/nslcd/common.h b/nslcd/common.h +index 736d7c09c9cd6d333fc4caa0a15144cc83eb9ecd..c48decb58df5262f459e0862f677960c31e20df7 100644 +--- a/nslcd/common.h ++++ b/nslcd/common.h +@@ -43,7 +43,10 @@ + stream */ + + #define ERROR_OUT_WRITEERROR(fp) \ +- log_log(LOG_WARNING,"error writing to client: %s",strerror(errno)); \ ++ if (errno==EPIPE) \ ++ log_log(LOG_DEBUG, "error writing to client: %s", strerror(errno)); \ ++ else \ ++ log_log(LOG_WARNING, "error writing to client: %s", strerror(errno)); \ + return -1; + + #define ERROR_OUT_READERROR(fp) \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch new file mode 100644 index 00000000..f5e70673 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch @@ -0,0 +1,111 @@ +From 335f7e085b45556276d2c1f224648a7eed28e4fd Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 6 Oct 2013 14:11:51 +0000 +Subject: [PATCH 2/3] use a timeout when skipping remaining result data + (c9e2f97 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2031 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + common/tio.c | 6 +++--- + common/tio.h | 4 ++-- + nss/common.h | 10 +++++++--- + 3 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/common/tio.c b/common/tio.c +index 9aef80ca91faedad8f75e09b9070d22ed4a0878d..780ea38f175482dfed5e1c754ef75e93ffd83768 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -2,7 +2,7 @@ + tio.c - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -298,7 +298,7 @@ int tio_skip(TFILE *fp, size_t count) + } + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp) ++int tio_skipall(TFILE *fp,int skiptimeout) + { + struct pollfd fds[1]; + int rv; +@@ -318,7 +318,7 @@ int tio_skipall(TFILE *fp) + /* see if any data is available */ + fds[0].fd=fp->fd; + fds[0].events=POLLIN; +- rv=poll(fds,1,0); ++ rv=poll(fds,1,skiptimeout); + /* check the poll() result */ + if (rv==0) + return 0; /* no file descriptor ready */ +diff --git a/common/tio.h b/common/tio.h +index cd3f370732e4c54815187bb8012fd5a5ff8972af..b38d458aedd660ff95ff2e57f9df790ffd51ff6d 100644 +--- a/common/tio.h ++++ b/common/tio.h +@@ -2,7 +2,7 @@ + tio.h - timed io functions + This file is part of the nss-pam-ldapd library. + +- Copyright (C) 2007, 2008, 2010, 2012 Arthur de Jong ++ Copyright (C) 2007, 2008, 2010, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -59,7 +59,7 @@ int tio_read(TFILE *fp,void *buf,size_t count); + int tio_skip(TFILE *fp,size_t count); + + /* Read all available data from the stream and empty the read buffer. */ +-int tio_skipall(TFILE *fp); ++int tio_skipall(TFILE *fp,int skiptimeout); + + /* Write the specified buffer to the stream. */ + int tio_write(TFILE *fp,const void *buf,size_t count); +diff --git a/nss/common.h b/nss/common.h +index e8d8e0526499c252f69a558384ddae8504009d26..3f93a4fb4704092dd5b1a41b024d33abf59cba60 100644 +--- a/nss/common.h ++++ b/nss/common.h +@@ -2,7 +2,7 @@ + common.h - common functions for NSS lookups + + Copyright (C) 2006 West Consulting +- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong ++ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -35,6 +35,10 @@ + #include "solnss.h" + #endif /* NSS_FLAVOUR_SOLARIS */ + ++/* skip timeout determines the maximum time to wait when closing the ++ connection and reading whatever data that is available */ ++#define SKIP_TIMEOUT 500 ++ + /* These are macros for handling read and write problems, they are + NSS specific due to the return code so are defined here. They + genrally close the open file, set an error code and return with +@@ -127,7 +131,7 @@ + /* close socket and we're done */ \ + if ((retv==NSS_STATUS_SUCCESS)||(retv==NSS_STATUS_TRYAGAIN)) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + } \ + return retv; +@@ -203,7 +207,7 @@ + NSS_AVAILCHECK; \ + if (fp!=NULL) \ + { \ +- (void)tio_skipall(fp); \ ++ (void)tio_skipall(fp,SKIP_TIMEOUT); \ + (void)tio_close(fp); \ + fp=NULL; \ + } \ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch new file mode 100644 index 00000000..6c40f6e8 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch @@ -0,0 +1,39 @@ +From 841dd859360ff07d705e869d2a402f6b181a14f9 Mon Sep 17 00:00:00 2001 +From: Arthur de Jong +Date: Sun, 1 Sep 2013 09:47:18 +0000 +Subject: [PATCH 1/3] fix buffer overflow on interrupted read (thanks John + Sullivan) (07a8170 from 0.9) + +git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd-0.8@2029 ef36b2f9-881f-0410-afb5-c4e39611909c +--- + AUTHORS | 1 + + common/tio.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/AUTHORS b/AUTHORS +index 5debe5f7c2a059e67f47098df8647c66eab85c13..65ee0789cb8c300c59f7b00b75e80b5b51d96ac9 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -119,3 +119,4 @@ Maxim Vetrov + Matthew L. Dailey + Chris Hiestand + Jon Severinsson ++John Sullivan +diff --git a/common/tio.c b/common/tio.c +index 4456198fe84ea72966edb06700c0fff751dd3451..9aef80ca91faedad8f75e09b9070d22ed4a0878d 100644 +--- a/common/tio.c ++++ b/common/tio.c +@@ -283,8 +283,8 @@ int tio_read(TFILE *fp, void *buf, size_t count) + } + else if ((rv<0)&&(errno!=EINTR)&&(errno!=EAGAIN)) + return -1; /* something went wrong with the read */ +- /* skip the read part in the buffer */ +- fp->readbuffer.len=rv; ++ else if (rv>0) ++ fp->readbuffer.len=rv; /* skip the read part in the buffer */ + #ifdef DEBUG_TIO_STATS + fp->bytesread+=rv; + #endif /* DEBUG_TIO_STATS */ +-- +1.8.3.1 + diff --git a/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch new file mode 100644 index 00000000..1663ee1d --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-str-cmp.patch @@ -0,0 +1,12 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.str_cmp 2017-10-23 21:18:19.867943857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-23 21:18:35.935986527 +0200 +@@ -133,7 +133,7 @@ static void update_username(MYLDAP_ENTRY + return; + } + /* check if the username is different and update it if needed */ +- if (strcmp(username,value)!=0) ++ if (STR_CMP(username,value)!=0) + { + log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value); + strcpy(username,value); diff --git a/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch new file mode 100644 index 00000000..815e82df --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-uid-overflow.patch @@ -0,0 +1,77 @@ +Always use a function that we know will catch out-of-range values for UIDs and +GIDs, which are currently unsigned 32-bit numbers everywhere, and which won't +produce a result that'll silently be truncated if we store the result in a +uid_t or gid_t. +--- nss-pam-ldapd/nslcd/common.c ++++ nss-pam-ldapd/nslcd/common.c +@@ -273,19 +273,23 @@ long int binsid2id(const char *binsid) + ((((long int)binsid[i+2])&0xff)<<16)|((((long int)binsid[i+3])&0xff)<<24); + } + +-#ifdef WANT_STRTOUI +-/* provide a strtoui() implementation, similar to strtoul() but returning ++/* provide a strtoid() implementation, similar to strtoul() but returning + an range-checked unsigned int instead */ +-unsigned int strtoui(const char *nptr,char **endptr,int base) ++unsigned int strtoid(const char *nptr,char **endptr,int base) + { +- unsigned long val; +- val=strtoul(nptr,endptr,base); +- if (val>UINT_MAX) ++ long long val; ++ /* use the fact that long long is 64-bit, even on 32-bit systems */ ++ val=strtoll(nptr,endptr,base); ++ if (val>UINT32_MAX) + { + errno=ERANGE; +- return UINT_MAX; ++ return UINT32_MAX; + } +- /* If errno was set by strtoul, we'll pass it back as-is */ +- return (unsigned int)val; ++ else if (val < 0) ++ { ++ errno=EINVAL; ++ return UINT32_MAX; ++ } ++ /* If errno was set, we'll pass it back as-is */ ++ return (uint32_t)val; + } +-#endif /* WANT_STRTOUI */ +--- nss-pam-ldapd/nslcd/common.h ++++ nss-pam-ldapd/nslcd/common.h +@@ -139,31 +139,9 @@ int nsswitch_db_uses_ldap(const char *fi + #endif /* _POSIX_HOST_NAME_MAX */ + #endif /* not HOST_NAME_MAX */ + +-/* provide strtouid() function alias */ +-#if SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtouid (uid_t)strtoul +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtouid (uid_t)strtoull +-#elif SIZEOF_UID_T == SIZEOF_UNSIGNED_INT +-#define WANT_STRTOUI 1 +-#define strtouid (uid_t)strtoui +-#else +-#error unable to find implementation for strtouid() +-#endif +- +-/* provide strtouid() function alias */ +-#if SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_INT +-#define strtogid (gid_t)strtoul +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_LONG_LONG_INT +-#define strtogid (gid_t)strtoull +-#elif SIZEOF_GID_T == SIZEOF_UNSIGNED_INT +-#ifndef WANT_STRTOUI +-#define WANT_STRTOUI 1 +-#endif +-#define strtogid (uid_t)strtoui +-#else +-#error unable to find implementation for strtogid() +-#endif ++uint32_t strtoid(const char *nptr,char **endptr,int base); ++#define strtouid (uid_t)strtoid ++#define strtogid (gid_t)strtoid + + #ifdef WANT_STRTOUI + /* provide a strtoui() if it is needed */ diff --git a/SOURCES/nss-pam-ldapd-0.8.12-validname.patch b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch new file mode 100644 index 00000000..6f5244f4 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.12-validname.patch @@ -0,0 +1,36 @@ +Defaults changed to allow opening and closing parentheses everywhere. Defaults +changed again to make characters after the first optional, and again to go back +to disallowing names which end with "\". +--- man/nslcd.conf.5.xml ++++ man/nslcd.conf.5.xml +@@ -712,7 +712,7 @@ + characters and the 'i' flag may be appended at the end to indicate + that the match should be case-insensetive. + The default value is +- /^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i ++ /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i + + + +--- nslcd/cfg.c ++++ nslcd/cfg.c +@@ -134,7 +134,7 @@ static void cfg_defaults(struct ldap_con + cfg->ldc_pam_authz_search[i]=NULL; + cfg->ldc_nss_min_uid=0; + parse_validnames_statement(__FILE__,__LINE__,"", +- "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg); ++ "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg); + cfg->pam_password_prohibit_message=NULL; + } + +--- tests/test_common.c ++++ tests/test_common.c +@@ -39,6 +39,8 @@ static void test_isvalidname(void) + assert(!isvalidname("\\foo\\bar")); + assert(!isvalidname("foo\\bar\\")); + assert(isvalidname("me")); /* try short name */ ++ assert(isvalidname("f")); ++ assert(isvalidname("(foo bar)")); + } + + /* the main program... */ diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch new file mode 100644 index 00000000..c7751314 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch @@ -0,0 +1,46 @@ +From e34fccc883e1fb6e7c0e1663e11ff9f96191971f Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:04:32 +0100 +Subject: [PATCH 1/2] Fix use after free in read_hostent and read_netent. + +if NSS_STATUS_TRYAGAIN is returned from read_one_hostent or +read_one_netent function tio_skipall will be called with NULL pointer +It could happend in functions: + _nss_ldap_getnetbyname_r + _nss_ldap_getnetbyaddr_r + _nss_ldap_gethostbyname2_r + _nss_ldap_gethostbyaddr_r +--- + nss/hosts.c | 2 -- + nss/networks.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 86b6a77..0e7027e 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +diff --git a/nss/networks.c b/nss/networks.c +index 859ef0e..1403b45 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -51,8 +51,6 @@ + + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ +- (void)tio_close(fp); \ +- fp=NULL; \ + *errnop=ERANGE; \ + *h_errnop=TRY_AGAIN; \ + return NSS_STATUS_TRYAGAIN; +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch new file mode 100644 index 00000000..82b7c47d --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch @@ -0,0 +1,41 @@ +From ec86b3d715ae9583288b12686a0552586caa6270 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 27 Jan 2014 17:17:33 +0100 +Subject: [PATCH 2/2] Use right h_errnop for retrying with larger buffer. + +The libc nsswitch code expects h_errno to be set to NETDB_INTERNAL when +it needs to try again with a larger buffer. +--- + nss/hosts.c | 2 +- + nss/networks.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/hosts.c b/nss/hosts.c +index 0e7027e..2bf4c86 100644 +--- a/nss/hosts.c ++++ b/nss/hosts.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +diff --git a/nss/networks.c b/nss/networks.c +index 1403b45..f3cb269 100644 +--- a/nss/networks.c ++++ b/nss/networks.c +@@ -52,7 +52,7 @@ + #undef ERROR_OUT_BUFERROR + #define ERROR_OUT_BUFERROR(fp) \ + *errnop=ERANGE; \ +- *h_errnop=TRY_AGAIN; \ ++ *h_errnop=NETDB_INTERNAL; \ + return NSS_STATUS_TRYAGAIN; + + #undef ERROR_OUT_WRITEERROR +-- +1.8.5.3 + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch new file mode 100644 index 00000000..be7a3b4b --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch @@ -0,0 +1,17 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.avoid_lockout_on_bad_password 2017-10-24 12:04:22.275105596 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:04:39.355175121 +0200 +@@ -967,6 +967,13 @@ static int do_retry_search(MYLDAP_SEARCH + /* try to start the search */ + pthread_mutex_unlock(&uris_mutex); + rc=do_try_search(search); ++ /* if we are authenticating a user and get an error regarding failed ++ password we should error out instead of trying all servers */ ++ if ((search->session->binddn[0] != '\0') && (rc == LDAP_INVALID_CREDENTIALS)) ++ { ++ do_close(search->session); ++ return rc; ++ } + if (rc==LDAP_SUCCESS) + { + pthread_mutex_lock(&uris_mutex); diff --git a/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch new file mode 100644 index 00000000..8d6ee6f7 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch @@ -0,0 +1,35 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password nss-pam-ldapd-0.8.13/nslcd/myldap.c +--- nss-pam-ldapd-0.8.13/nslcd/myldap.c.long_password 2017-10-24 12:38:29.315411416 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/myldap.c 2017-10-24 12:38:52.727517587 +0200 +@@ -88,7 +88,7 @@ struct ldap_session + /* the username to bind with */ + char binddn[256]; + /* the password to bind with if any */ +- char bindpw[64]; ++ char bindpw[128]; + /* timestamp of last activity */ + time_t lastactivity; + /* index into ldc_uris: currently connected LDAP uri */ +diff -up nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password nss-pam-ldapd-0.8.13/nslcd/pam.c +--- nss-pam-ldapd-0.8.13/nslcd/pam.c.long_password 2017-10-24 12:39:50.761780765 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/pam.c 2017-10-24 12:41:15.083163153 +0200 +@@ -246,7 +246,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SES + int rc; + char username[256]; + char servicename[64]; +- char password[64]; ++ char password[128]; + const char *userdn; + MYLDAP_ENTRY *entry; + int authzrc=NSLCD_PAM_SUCCESS; +@@ -617,8 +617,8 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SES + char userdn[256]; + int asroot; + char servicename[64]; +- char oldpassword[64]; +- char newpassword[64]; ++ char oldpassword[128]; ++ char newpassword[128]; + const char *binddn=NULL; /* the user performing the modification */ + MYLDAP_ENTRY *entry; + char authzmsg[1024]; diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch new file mode 100644 index 00000000..b7557b25 --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uid_formatting.patch @@ -0,0 +1,98 @@ +diff -up nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/group.c +--- nss-pam-ldapd-0.8.13/nslcd/group.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/group.c 2017-10-24 14:17:27.489696761 +0200 +@@ -109,10 +109,8 @@ static int mkfilter_group_bygid(gid_t gi + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- group_filter, +- attmap_group_gidNumber,(int)gid); ++ return mysnprintf(buffer,buflen,"(&%s(%s=%lu))", ++ group_filter,attmap_group_gidNumber,(unsigned long int)gid); + } + } + +diff -up nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.13/nslcd/nslcd.c.uid_formatting 2017-10-24 14:17:05.117590857 +0200 ++++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -402,8 +402,8 @@ static void handleconnection(int sock,MY + if (getpeercred(sock,&uid,&gid,&pid)) + log_log(LOG_DEBUG,"connection from unknown client: %s",strerror(errno)); + else +- log_log(LOG_DEBUG,"connection from pid=%d uid=%d gid=%d", +- (int)pid,(int)uid,(int)gid); ++ log_log(LOG_DEBUG,"connection from pid=%lu uid=%lu gid=%lu", ++ (unsigned long int)pid,(unsigned long int)uid,(unsigned long int)gid); + /* create a stream object */ + if ((fp=tio_fdopen(sock,READ_TIMEOUT,WRITE_TIMEOUT, + READBUFFER_MINSIZE,READBUFFER_MAXSIZE, +@@ -519,7 +519,7 @@ static void create_pidfile(const char *f + log_log(LOG_ERR,"cannot truncate pid file (%s): %s",filename,strerror(errno)); + exit(EXIT_FAILURE); + } +- mysnprintf(buffer,sizeof(buffer),"%d\n",(int)getpid()); ++ mysnprintf(buffer,sizeof(buffer),"%lu\n",(unsigned long int)getpid()); + if (write(fd,buffer,strlen(buffer))!=(int)strlen(buffer)) + { + log_log(LOG_ERR,"error writing pid file (%s): %s",filename,strerror(errno)); +@@ -755,11 +755,11 @@ int main(int argc,char *argv[]) + #ifdef HAVE_INITGROUPS + /* load supplementary groups */ + if (initgroups(nslcd_cfg->ldc_uidname,nslcd_cfg->ldc_gid)<0) +- log_log(LOG_WARNING,"cannot initgroups(\"%s\",%d) (ignored): %s", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_WARNING,"cannot initgroups(\"%s\",%lu) (ignored): %s", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + else +- log_log(LOG_DEBUG,"initgroups(\"%s\",%d) done", +- nslcd_cfg->ldc_uidname,(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"initgroups(\"%s\",%lu) done", ++ nslcd_cfg->ldc_uidname,(unsigned long int)nslcd_cfg->ldc_gid); + #else /* not HAVE_INITGROUPS */ + #ifdef HAVE_SETGROUPS + /* just drop all supplemental groups */ +@@ -777,20 +777,22 @@ int main(int argc,char *argv[]) + { + if (setgid(nslcd_cfg->ldc_gid)!=0) + { +- log_log(LOG_ERR,"cannot setgid(%d): %s",(int)nslcd_cfg->ldc_gid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setgid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_gid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setgid(%d) done",(int)nslcd_cfg->ldc_gid); ++ log_log(LOG_DEBUG,"setgid(%lu) done",(unsigned long int)nslcd_cfg->ldc_gid); + } + /* change to nslcd uid */ + if (nslcd_cfg->ldc_uid!=NOUID) + { + if (setuid(nslcd_cfg->ldc_uid)!=0) + { +- log_log(LOG_ERR,"cannot setuid(%d): %s",(int)nslcd_cfg->ldc_uid,strerror(errno)); ++ log_log(LOG_ERR,"cannot setuid(%lu): %s", ++ (unsigned long int)nslcd_cfg->ldc_uid,strerror(errno)); + exit(EXIT_FAILURE); + } +- log_log(LOG_DEBUG,"setuid(%d) done",(int)nslcd_cfg->ldc_uid); ++ log_log(LOG_DEBUG,"setuid(%lu) done",(unsigned long int)nslcd_cfg->ldc_uid); + } + /* block all these signals so our worker threads won't handle them */ + sigemptyset(&signalmask); +diff -up nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting nss-pam-ldapd-0.8.13/nslcd/passwd.c +--- nss-pam-ldapd-0.8.13/nslcd/passwd.c.uid_formatting 2013-02-23 22:24:00.000000000 +0100 ++++ nss-pam-ldapd-0.8.13/nslcd/passwd.c 2017-10-24 14:17:27.490696766 +0200 +@@ -115,10 +115,8 @@ static int mkfilter_passwd_byuid(uid_t u + } + else + { +- return mysnprintf(buffer,buflen, +- "(&%s(%s=%d))", +- passwd_filter, +- attmap_passwd_uidNumber,(int)uid); ++ return mysnprintf(buffer,buflen, "(&%s(%s=%lu))", ++ passwd_filter,attmap_passwd_uidNumber,(unsigned long int)uid); + } + } + diff --git a/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch new file mode 100644 index 00000000..f0dacb4a --- /dev/null +++ b/SOURCES/nss-pam-ldapd-0.8.13-uri-man-fix.patch @@ -0,0 +1,24 @@ +diff -up nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list nss-pam-ldapd-0.8.13/man/nslcd.conf.5 +--- nss-pam-ldapd-0.8.13/man/nslcd.conf.5.uri_list 2017-10-24 14:08:54.429271306 +0200 ++++ nss-pam-ldapd-0.8.13/man/nslcd.conf.5 2017-10-24 14:09:31.691444445 +0200 +@@ -46,7 +46,7 @@ Note that you should use values that don + to resolve. + .SS "GENERAL CONNECTION OPTIONS" + .TP +-\*(T<\fBuri\fR\*(T> \fIURI\fR ++\*(T<\fBuri\fR\*(T> \fIURI\fR ... + Specifies the LDAP URI of the + server to connect to. + The URI scheme may be \*(T, +@@ -66,8 +66,9 @@ When using the ldapi scheme, %2f should + (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the + time this should not be needed. + +-This option may be specified multiple times. Normally, only the first +-server will be used with the following servers as fall-back (see ++This option may be specified multiple times and/or with more URIs on the ++line, separated by space. Normally, only the first server will be used ++with the following servers as fall-back (see + \*(T<\fBbind_timelimit\fR\*(T> below). + + If LDAP lookups are used for host name resolution, diff --git a/SOURCES/nss-pam-ldapd-exitcode.patch b/SOURCES/nss-pam-ldapd-exitcode.patch new file mode 100644 index 00000000..2b4f8fad --- /dev/null +++ b/SOURCES/nss-pam-ldapd-exitcode.patch @@ -0,0 +1,10 @@ +diff -up nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode nss-pam-ldapd-0.8.14/nslcd/nslcd.c +--- nss-pam-ldapd-0.8.14/nslcd/nslcd.c.retcode 2017-02-08 09:52:39.687834074 +0100 ++++ nss-pam-ldapd-0.8.14/nslcd/nslcd.c 2017-02-08 09:52:54.630891580 +0100 +@@ -866,5 +866,5 @@ int main(int argc,char *argv[]) + log_log(LOG_ERR,"thread %d is still running, shutting down anyway",i); + } + /* we're done */ +- return EXIT_FAILURE; ++ return EXIT_SUCCESS; + } diff --git a/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch new file mode 100644 index 00000000..7a014f3a --- /dev/null +++ b/SOURCES/nss-pam-ldapd-rh-msgs-in-tests.patch @@ -0,0 +1,30 @@ +diff -up nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect +--- nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect.rh_test_msgs 2014-01-20 15:32:33.253018468 +0100 ++++ nss-pam-ldapd-0.8.13/tests/test_pamcmds.expect 2014-01-20 15:38:00.452957296 +0100 +@@ -40,7 +40,7 @@ proc reset_password {} { + expect { + "LDAP administrator password" { send "test\r"; exp_continue } + -regexp "(New|Retype new) password:" { send "test\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + default abort +@@ -114,7 +114,7 @@ proc test_login_unknown {uid passwd} { + expect { + "Password:" { send "$passwd\r"; exp_continue } + "Unknown id" {} +- "No passwd entry for user" {} ++ "su: user $uid does not exist" {} + "\$ " abort + default abort + } +@@ -156,7 +156,7 @@ expect { + } + expect { + -regexp "(New|Retype new) password:" { send "newpassword\r"; exp_continue } +- "password updated successfully" {} ++ "passwd: all authentication tokens updated successfully" {} + "Invalid credentials" abort + "Authentication token manipulation error" abort + "\$ " abort diff --git a/SPECS/nss-pam-ldapd.spec b/SPECS/nss-pam-ldapd.spec new file mode 100644 index 00000000..e6e0844a --- /dev/null +++ b/SPECS/nss-pam-ldapd.spec @@ -0,0 +1,640 @@ +%if 0%{?fedora} > 15 || 0%{?rhel} > 6 +%global systemd 1 +%global sysvinit 0 +%else +%global systemd 0 +%global sysvinit 1 +%endif + +# Fedora had these in F18, but we didn't cut over to use them until after F18 +# was frozen, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global systemd_macros 1 +%else +%global systemd_macros 0 +%endif + +%if 0%{?fedora} > 14 || 0%{?rhel} > 6 +%global tmpfiles 1 +%else +%global tmpfiles 0 +%endif + +# Fedora had it in F17, but moving things around in already-released versions +# is a bad idea, so pretend it didn't happen until F19. +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +%global separate_usr 0 +%global nssdir %{_libdir} +%global pamdir %{_libdir}/security +%else +%global separate_usr 1 +%global nssdir /%{_lib} +%global pamdir /%{_lib}/security +%endif + +# For distributions that support it, build with RELRO +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + +Name: nss-pam-ldapd +Version: 0.8.13 +Release: 16%{?dist} +Summary: An nsswitch module which uses directory servers +Group: System Environment/Base +License: LGPLv2+ +URL: http://arthurdejong.org/nss-pam-ldapd/ +Source0: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz +Source1: http://arthurdejong.org/nss-pam-ldapd/nss-pam-ldapd-%{version}.tar.gz.sig +Source2: nslcd.init +Source3: nslcd.tmpfiles +Source4: nslcd.service +Patch1: nss-pam-ldapd-0.8.12-validname.patch +Patch2: nss-pam-ldapd-0.8.12-In-nslcd-log-EPIPE-only-on-debug-level.patch +Patch3: nss-pam-ldapd-0.8.12-uid-overflow.patch +Patch4: nss-pam-ldapd-0.8.12-Use-a-timeout-when-skipping-remaining-result-data.patch +Patch5: nss-pam-ldapd-0.8.12-fix-buffer-overflow-on-interrupted-read-thanks-John-.patch +Patch6: nss-pam-ldapd-rh-msgs-in-tests.patch +Patch7: nss-pam-ldapd-0.8.13-Fix-use-after-free-in-read_hostent-and-read_netent.patch +Patch8: nss-pam-ldapd-0.8.13-Use-right-h_errnop-for-retrying-with-larger-buffer.patch +Patch9: nss-pam-ldapd-exitcode.patch +Patch10: nss-pam-ldapd-0.8.12-str-cmp.patch +Patch11: nss-pam-ldapd-0.8.13-avoid-lockout-on-bad-password.patch +Patch12: nss-pam-ldapd-0.8.13-password-longer-than-64-chars.patch +Patch13: nss-pam-ldapd-0.8.13-uri-man-fix.patch +Patch14: nss-pam-ldapd-0.8.13-uid_formatting.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: openldap-devel, krb5-devel +BuildRequires: autoconf, automake +BuildRequires: pam-devel +Obsoletes: nss-ldapd < 0.7 +Provides: nss-ldapd = %{version}-%{release} + +# Obsolete PADL's nss_ldap +Provides: nss_ldap = 265-12 +Obsoletes: nss_ldap < 265-11 + +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +# Obsolete PADL's pam_ldap +Provides: pam_ldap = 185-15 +Obsoletes: pam_ldap < 185-15 +%global build_pam_ldap 1 +%else +# Pull in the pam_ldap module, which is its own package in F14 and later, to +# keep upgrades from removing the module. We used to disable nss-pam-ldapd's +# own pam_ldap.so when it wasn't mature enough. +Requires: pam_ldap%{?_isa} +%global build_pam_ldap 0 +%endif + +# Pull in nscd, which is recommended. +Requires: nscd +%if %{sysvinit} +Requires(post): /sbin/ldconfig, chkconfig, grep, sed +Requires(preun): chkconfig, initscripts +Requires(postun): /sbin/ldconfig, initscripts +%endif +%if %{systemd} +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(post): systemd-sysv +%endif + +%description +The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name +service information (users, groups, etc.) on behalf of a lightweight +nsswitch module. + +%prep +%setup -q +%patch1 -p0 -b .validname +%patch2 -p1 -b .epipe +%patch3 -p1 -b .overflow +%patch4 -p1 -b .skiptimeout +%patch5 -p1 -b .readall +%patch6 -p1 -b .test_msgs +%patch7 -p1 -b .use_after_free +%patch8 -p1 -b .errnop_val +%patch9 -p1 -b .exit_code +%patch10 -p1 -b .str_cmp +%patch11 -p1 -b .avoid_lockout_on_bad_password +%patch12 -p1 -b .long_password +%patch13 -p1 -b .uri_list +%patch14 -p1 -b .uid_formatting +autoreconf -f -i + +%build +CFLAGS="$RPM_OPT_FLAGS -fPIC" ; export CFLAGS +%configure --libdir=%{nssdir} \ +%if %{build_pam_ldap} + --with-pam-seclib-dir=%{pamdir} +%else + --disable-pam +%endif +make %{?_smp_mflags} + +%check +make check + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/{%{_initddir},%{_libdir},%{_unitdir}} +%if %{sysvinit} +install -p -m755 %{SOURCE2} $RPM_BUILD_ROOT/%{_initddir}/nslcd +%endif +%if %{systemd} +install -p -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/ +%endif + +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +%if %{separate_usr} +# Follow glibc's convention and provide a .so symlink so that people who know +# what to expect can link directly with the module. +if test %{_libdir} != /%{_lib} ; then + touch $RPM_BUILD_ROOT/rootfile + relroot=.. + while ! test -r $RPM_BUILD_ROOT/%{_libdir}/$relroot/rootfile ; do + relroot=../$relroot + done + ln -s $relroot/%{_lib}/libnss_ldap.so.2 \ + $RPM_BUILD_ROOT/%{_libdir}/libnss_ldap.so + rm $RPM_BUILD_ROOT/rootfile +fi +%else +ln -s libnss_ldap.so.2 $RPM_BUILD_ROOT/%{nssdir}/libnss_ldap.so +%endif +%endif + +sed -i -e 's,^uid.*,uid nslcd,g' -e 's,^gid.*,gid ldap,g' \ +$RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +touch -r nslcd.conf $RPM_BUILD_ROOT/%{_sysconfdir}/nslcd.conf +mkdir -p -m 0755 $RPM_BUILD_ROOT/var/run/nslcd +%if %{tmpfiles} +mkdir -p -m 0755 $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/%{_tmpfilesdir}/%{name}.conf +%endif + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +%doc AUTHORS ChangeLog COPYING HACKING NEWS README TODO +%{_sbindir}/* +%{nssdir}/*.so.* +%if %{build_pam_ldap} +%{pamdir}/pam_ldap.so +%endif +%{_mandir}/*/* +%attr(0600,root,root) %config(noreplace) %verify(not md5 size mtime) /etc/nslcd.conf +%if %{tmpfiles} +%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/%{name}.conf +%endif +%if %{sysvinit} +%attr(0755,root,root) %{_initddir}/nslcd +%endif +%if %{systemd} +%config(noreplace) %{_unitdir}/* +%endif +%attr(0755,nslcd,root) /var/run/nslcd +%if 0%{?fedora} > 13 || 0%{?rhel} > 5 +# This would be the only thing in the -devel subpackage, so we include it. It +# will conflict with nss_ldap, so only include it for releases where pam_ldap is +# its own package. +/%{_libdir}/*.so +%endif + +%pre +getent group ldap > /dev/null || \ +/usr/sbin/groupadd -r -g 55 ldap +getent passwd nslcd > /dev/null || \ +/usr/sbin/useradd -r -g ldap -c 'LDAP Client User' \ + -u 65 -d / -s /sbin/nologin nslcd 2> /dev/null || : + +%post +# The usual stuff. +%if %{sysvinit} +/sbin/chkconfig --add nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_post nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%endif +%endif +/sbin/ldconfig +# Import important non-default settings from nss_ldap or pam_ldap configuration +# files, but only the first time this package is installed. +comment="This comment prevents repeated auto-migration of settings." +if test -s /etc/nss-ldapd.conf ; then + source=/etc/nss-ldapd.conf +elif test -s /etc/nss_ldap.conf ; then + source=/etc/nss_ldap.conf +elif test -s /etc/pam_ldap.conf ; then + source=/etc/pam_ldap.conf +else + source=/etc/ldap.conf +fi +target=/etc/nslcd.conf +if test "$1" -eq "1" && ! grep -q -F "# $comment" $target 2> /dev/null ; then + # Try to make sure we only do this the first time. + echo "# $comment" >> $target + if grep -E -q '^uri[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the uri. + grep -E '^uri[[:blank:]]' $source >> $target + elif grep -E -q '^host[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default host/uri and replace it... + sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target + # ... with the "host" reformatted as a URI. + scheme=ldap + # check for 'ssl on', which means we want to use ldaps:// + if grep -E -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then + scheme=ldaps + fi + grep -E '^host[[:blank:]]' $source |\ + sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target + fi + # Base doesn't require any special logic. + if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then + # Comment out the packaged default base and replace it. + sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target + grep -E '^base[[:blank:]]' $source >> $target + fi + # Pull in these settings, if they're set, directly. + grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target + grep -E '^(tls_)' $source 2> /dev/null >> $target + grep -E '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target +fi +# If this is the first time we're being installed, and the system is already +# configured to use LDAP as a naming service, enable the daemon, but don't +# start it since we can never know if that's a safe thing to do. If this +# is an upgrade, leave the user's runlevel selections alone. +if [ "$1" -eq "1" ]; then + if grep -E -q '^USELDAP=yes$' /etc/sysconfig/authconfig 2> /dev/null ; then +%if %{sysvinit} + /sbin/chkconfig nslcd on +%endif +%if %{systemd} + /bin/systemctl --no-reload enable nslcd.service >/dev/null 2>&1 ||: +%endif + fi +fi +# Earlier versions of 0.7.6 of this package would have included both 'gid +# nslcd' (a group which doesn't exist) and 'gid ldap' (which we ensure exists). +# If we detect both, fix the configuration. +if grep -q '^gid nslcd' $target ; then + if grep -q '^gid ldap' $target ; then + sed -i -e 's,^gid nslcd$,# gid nslcd,g' $target + fi +fi +# In 0.8.4, the name of the attribute which was expected to contain the DNs of +# a group's members changed from "uniqueMember" to "member". Change any +# instances of "map group uniqueMember ..." to "map group member ...", unless +# "member" is already being mapped, in which case attempting this would +# probably just confuse things further. +if grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]]" $target ; then + if ! grep -E -q "^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+member[[:blank:]]" $target ; then + sed -i -r -e "s,^[[:blank:]]*map[[:blank:]]+group[[:blank:]]+uniqueMember[[:blank:]](.*),map group member \1,g" $target + fi +fi +# Create the daemon's /var/run directory if it isn't there. +if ! test -d /var/run/nslcd ; then + mkdir -p -m 0755 /var/run/nslcd +fi +exit 0 + +%preun +if [ "$1" -eq "0" ]; then +%if %{sysvinit} + /sbin/service nslcd stop >/dev/null 2>&1 + /sbin/chkconfig --del nslcd +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_preun nslcd.service +%else + /bin/systemctl --no-reload disable nslcd.service > /dev/null 2>&1 || : + /bin/systemctl stop nslcd.service > /dev/null 2>&1 || : +%endif +%endif +fi +exit 0 + +%postun +/sbin/ldconfig +%if %{sysvinit} +if [ "$1" -ge "1" ]; then + /etc/rc.d/init.d/nslcd condrestart >/dev/null 2>&1 +fi +%endif +%if %{systemd} +%if %{systemd_macros} +%systemd_postun_with_restart nslcd.service +%else +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ]; then + /bin/systemctl try-restart nslcd.service >/dev/null 2>&1 +fi +%endif +%endif +exit 0 + +%if %{systemd} +%triggerun -- nss-pam-ldapd < 0.7.13-6 +# Save the current service runlevel info, in case the user wants to apply +# the enabled status manually later, by running +# "systemd-sysv-convert --apply nslcd". +%{_bindir}/systemd-sysv-convert --save nslcd >/dev/null 2>&1 ||: +# Do this because the old package's %%postun doesn't know we need to do it. +/sbin/chkconfig --del nslcd >/dev/null 2>&1 || : +# Do this because the old package's %%postun wouldn't have tried. +/bin/systemctl try-restart nslcd.service >/dev/null 2>&1 || : +exit 0 +%endif + +%changelog +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-16 +- Resolves: rhbz#1151675 - NSLCD WRAPS LDAP USER UIDNUMBER > 2^31 SO UID + IS WRONG (AND A NEGATIVE NUMBER) + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-15 +- Resolves: rhbz#1204202 - fix doc to describe actual uri format in + nslcd.conf + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-14 +- Resolves: rhbz#1288429 - /etc/tmpfiles.d/nss-pam-ldapd.conf shipped when + /etc/tmpfiles.d is reserved for the local + administrator + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-13 +- Resolves: rhbz#1312297 - nslcd.service does not restart on failure + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-12 +- Resolves: rhbz#1425790 - Unable to authenticate with 64 character password + using nss-pam-ldapd + +* Tue Oct 24 2017 Jakub Hrozek - 0.8.13-11 +- Resolves: rhbz#1497761 - Incorrect password tries to bind to all domain + controllers and locks user out + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-10 +- Resolves: rhbz#1357493 - In RHEL 7, authentication failing when using + nslcd + pam_ldap where user has different in + nis/passwd and ldap. + +* Mon Oct 23 2017 Jakub Hrozek - 0.8.13-9 +- Resolves: rhbz#1420576 - 'systemctl status nslcd' always returns FAILURE + status even though the service is stopped with + 'systemctl stop nslcd + +* Wed Jan 29 2014 Jakub Hrozek 0.8.13-8 +- Fix a potential use-after-free in nsswitch module +- Resolves: rhbz#1036030 - New defect found in nss-pam-ldapd-0.8.13-4.el7 + +* Fri Jan 24 2014 Daniel Mach - 0.8.13-7 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Jakub Hrozek 0.8.13-6 +- Change the error messages the tests expect to those printed on RH based + systems +- Resolves: rhbz#1044482 + +* Fri Dec 27 2013 Daniel Mach - 0.8.13-5 +- Mass rebuild 2013-12-27 + +* Fri Oct 18 2013 Nalin Dahyabhai 0.8.13-4 +- compile nslcd/log.c with -fPIC instead of the current hardened-build default + of -fPIE, which doesn't seem to avoid relocations for its thread-local + variables on s390x (#1002834) + +* Sat Oct 05 2013 Jakub Hrozek 0.8.13-3 +- Suppress Broken Pipe messages when requesting a large groupo +- Resolves: rhbz#1002829 + +* Wed Jul 31 2013 Jakub Hrozek 0.8.13-2 +- Build with _hardened_build macro + +* Mon May 6 2013 Nalin Dahyabhai 0.8.13-1 +- update to 0.8.13 +- correct a syntax error in the fix that was added for #832706 + +* Tue Apr 30 2013 Nalin Dahyabhai 0.8.12-4 +- in %%post, attempt to rewrite any instances of "map group uniqueMember ..." + to be "map group member ..." in nslcd.conf, as the attribute name changed + in 0.8.4 (via freeipa ticket #3589) + +* Thu Feb 14 2013 Fedora Release Engineering - 0.8.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-2 +- drop local patch to make the client flush some more read buffers + +* Fri Jan 18 2013 Nalin Dahyabhai 0.8.12-1 +- update to 0.8.12 (#846793) +- make building pam_ldap conditional on the targeted release +- add "After=named.service dirsrv.target slapd.service" to nslcd.service, + to make sure that nslcd is started after them if they're to be started + on the local system (#832706) +- alter the versioned Obsoletes: on pam_ldap to include the F18 package +- use %%{_unitdir} when deciding where to put systemd configuration, based + on patch from Václav Pavlín (#850232) +- use new systemd macros for scriptlet hooks, when available, based on + patch from Václav Pavlín (#850232) + +* Sun Sep 09 2012 Jakub Hrozek 0.7.17-1 +- new upstream release 0.7.17 + +* Sun Aug 05 2012 Jakub Hrozek - 0.7.16-5 +- Obsolete PADL's nss_ldap + +* Sat Aug 04 2012 Jakub Hrozek - 0.7.16-4 +- Build the PAM module, obsoletes PADL's pam-ldap (#856006) + +* Fri Jul 20 2012 Fedora Release Engineering - 0.7.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 14 2012 Jakub Hrozek 0.7.16-2 +- backport upstream revision r1659 related to broken pipe when + requesting a large group +- use grep -E instead of egrep to avoid rpmlint warnings + +* Sat Apr 28 2012 Jakub Hrozek 0.7.16-1 +- new upstream release 0.7.16 + +* Thu Mar 15 2012 Jakub Hrozek 0.7.15-2 +- Do not print "Broken Pipe" error message when requesting a large group + +* Fri Mar 9 2012 Jakub Hrozek 0.7.15-1 +- new upstream release 0.7.15 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.7.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Jakub Hrozek 0.7.14-2 +- Do not overflow large UID/GID values on 32bit architectures + +* Mon Nov 28 2011 Nalin Dahyabhai +- use the same conditional test for deciding when to create the .so symlink as + we do later on for deciding when to include it in the package (#757004) + +* Fri Sep 23 2011 Jakub Hrozek 0.7.14-1 +- new upstream release 0.7.14 +- obsoletes nss-pam-ldapd-0.7.x-buffers.patch + +* Wed Aug 24 2011 Nalin Dahyabhai 0.7.13-8 +- include backported enhancement to take URIs in the form "dns:DOMAIN" in + addition to the already-implemented "dns" (#730309) + +* Thu Jul 14 2011 Nalin Dahyabhai 0.7.13-7 +- switch to only munging the contents of /etc/nslcd.conf on the very first + install (#706454) +- make sure that we have enough space to parse any valid GID value when + parsing a user's primary GID (#716822) +- backport support for the "validnames" option from SVN and use it to allow + parentheses characters by modifying the default setting (#690870), then + modify the default again to also allow shorter and shorter names to pass + muster (#706860) + +* Wed Jul 13 2011 Nalin Dahyabhai 0.7.13-6 +- convert to systemd-native startup (#716997) + +* Mon Jun 13 2011 Nalin Dahyabhai 0.7.13-5 +- change the file path Requires: we have for pam_ldap into a package name + Requires: (#601931) + +* Wed Mar 30 2011 Nalin Dahyabhai 0.7.13-4 +- tag nslcd.conf with %%verify(not md5 size mtime), since we always tweak + it in %%post (#692225) + +* Tue Mar 1 2011 Nalin Dahyabhai 0.7.13-3 +- add a tmpfiles configuration to ensure that /var/run/nslcd is created when + /var/run is completely empty at boot (#656643) + +* Tue Feb 08 2011 Fedora Release Engineering - 0.7.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 13 2010 Nalin Dahyabhai 0.7.13-1 +- update to 0.7.13 + +* Fri Oct 29 2010 Nalin Dahyabhai 0.7.12-1 +- update to 0.7.12 + +* Fri Oct 15 2010 Nalin Dahyabhai 0.7.11-1 +- update to 0.7.11 + +* Wed Sep 29 2010 jkeating - 0.7.10-2 +- Rebuilt for gcc bug 634757 + +* Fri Sep 24 2010 Nalin Dahyabhai 0.7.10-1 +- update to 0.7.10 + +* Thu Sep 23 2010 Nalin Dahyabhai 0.7.9-2 +- when creating /var/run/nslcd in the buildroot, specify that 0755 is a + permissions value and not another directory name (#636880) + +* Mon Aug 30 2010 Nalin Dahyabhai 0.7.9-1 +- update to 0.7.9 + +* Wed Aug 18 2010 Nalin Dahyabhai 0.7.8-1 +- update to 0.7.8 + +* Wed Jul 7 2010 Nalin Dahyabhai 0.7.7-1 +- update to 0.7.7 + +* Mon Jun 28 2010 Nalin Dahyabhai 0.7.6-3 +- don't accidentally set multiple 'gid' settings in nslcd.conf, and try to + clean up after older versions of this package that did (#608314) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-2 +- make inclusion of the .so symlink conditional on being on a sufficiently- + new Fedora where pam_ldap isn't part of the nss_ldap package, so having + this package conflict with nss_ldap doesn't require that pam_ldap be + removed (#596691) + +* Thu May 27 2010 Nalin Dahyabhai 0.7.6-1 +- update to 0.7.6 + +* Mon May 17 2010 Nalin Dahyabhai 0.7.5-3 +- switch to the upstream patch for #592411 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-2 +- don't return an uninitialized buffer as the value for an optional attribute + that isn't present in the directory server entry (#592411) + +* Fri May 14 2010 Nalin Dahyabhai 0.7.5-1 +- update to 0.7.5 + +* Fri May 14 2010 Nalin Dahyabhai 0.7.4-1 +- update to 0.7.4 +- stop trying to migrate retry timeout parameters from old ldap.conf files +- add an explicit requires: on nscd to make sure it's at least available on + systems that are using nss-pam-ldapd; otherwise it's usually optional + +* Tue Mar 23 2010 Nalin Dahyabhai 0.7.3-1 +- update to 0.7.3 + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-2 +- bump release for post-review commit + +* Thu Feb 25 2010 Nalin Dahyabhai 0.7.2-1 +- add comments about why we have a .so link at all, and not a -devel subpackage + +* Wed Jan 13 2010 Nalin Dahyabhai +- obsolete/provides nss-ldapd +- import configuration from nss-ldapd.conf, too + +* Tue Jan 12 2010 Nalin Dahyabhai +- rename to nss-pam-ldapd +- also check for import settings in /etc/nss_ldap.conf and /etc/pam_ldap.conf + +* Thu Sep 24 2009 Nalin Dahyabhai 0.6.11-2 +- rebuild + +* Wed Sep 16 2009 Nalin Dahyabhai +- apply Mitchell Berger's patch to clean up the init script, use %%{_initddir}, + and correct the %%post so that it only thinks about turning on nslcd when + we're first being installed (#522947) +- tell status() where the pidfile is when the init script is called for that + +* Tue Sep 8 2009 Nalin Dahyabhai +- fix typo in a comment, capitalize the full name for "LDAP Client User" (more + from #516049) + +* Wed Sep 2 2009 Nalin Dahyabhai 0.6.11-1 +- update to 0.6.11 + +* Sat Jul 25 2009 Fedora Release Engineering - 0.6.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 18 2009 Nalin Dahyabhai 0.6.10-3 +- update URL: and Source: + +* Mon Jun 15 2009 Nalin Dahyabhai 0.6.10-2 +- add and own /var/run/nslcd +- convert hosts to uri during migration + +* Thu Jun 11 2009 Nalin Dahyabhai 0.6.10-1 +- update to 0.6.10 + +* Fri Apr 17 2009 Nalin Dahyabhai 0.6.8-1 +- bump release number to 1 (part of #491767) +- fix which group we check for during %%pre (part of #491767) + +* Tue Mar 24 2009 Nalin Dahyabhai +- require chkconfig by package rather than path (Jussi Lehtola, part of #491767) + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.8-0.1 +- update to 0.6.8 + +* Mon Mar 23 2009 Nalin Dahyabhai 0.6.7-0.1 +- start using a dedicated user + +* Wed Mar 18 2009 Nalin Dahyabhai 0.6.7-0.0 +- initial package (#445965)