nss-pam-ldapd

Release 0.8.1 of nss-pam-ldapd has just been made available which fixes a serious security problem that would allow login for users not in LDAP. The CVE project has assigned CVE-2011-0438 to this problem. More details about the vulnerability can be ... [More] found here: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 This release remains a development release and is expected to undergo more active development. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilizes. A summary of the changes since 0.8.0: * properly handle user-not-found errors when doing authentication (CVE-2011-0438) * include a file that was missing for Solaris support * add FreeBSD support, partially imported from the FreeBSD port (thanks to Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov) * document how to replace pam_check_service_attr and pam_check_host_attr options in PADL's pam_ldap with pam_authz_search in nss-pam-ldapd * implement a fqdn variable that can be used in pam_authz_search filters * create the directory to hold the socket and pidfile on startup * implement host, network and netgroup support in pynslcd More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110310 [Less]

Release 0.8.1 of nss-pam-ldapd has just been made available which fixes a serious security problem that would allow login for users not in LDAP. The CVE project has assigned CVE-2011-0438 to this problem. More details about the vulnerability can be ... [More] found here: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 This release remains a development release and is expected to undergo more active development. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilizes. A summary of the changes since 0.8.0: * properly handle user-not-found errors when doing authentication (CVE-2011-0438) * include a file that was missing for Solaris support * add FreeBSD support, partially imported from the FreeBSD port (thanks to Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov) * document how to replace pam_check_service_attr and pam_check_host_attr options in PADL's pam_ldap with pam_authz_search in nss-pam-ldapd * implement a fqdn variable that can be used in pam_authz_search filters * create the directory to hold the socket and pidfile on startup * implement host, network and netgroup support in pynslcd More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110310 [Less]

Release 0.8.1 of nss-pam-ldapd has just been made available which fixes a serious security problem that would allow login for users not in LDAP. The CVE project has assigned CVE-2011-0438 to this problem. More details about the vulnerability can be ... [More] found here: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 This release remains a development release and is expected to undergo more active development. Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilizes. A summary of the changes since 0.8.0: * properly handle user-not-found errors when doing authentication (CVE-2011-0438) * include a file that was missing for Solaris support * add FreeBSD support, partially imported from the FreeBSD port (thanks to Jacques Vidrine, Artem Kazakov and Alexander V. Chernikov) * document how to replace pam_check_service_attr and pam_check_host_attr options in PADL's pam_ldap with pam_authz_search in nss-pam-ldapd * implement a fqdn variable that can be used in pam_authz_search filters * create the directory to hold the socket and pidfile on startup * implement host, network and netgroup support in pynslcd More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110310 [Less]

Russell Sim discovered a serious security vulnerability in development release 0.8.0 of nss-pam-ldapd that allows authentication with an incorrect password for local user accounts. The PAM module will erroneously return a success code when the user ... [More] cannot be found in LDAP. Exploitability depends on the details of the PAM configuration but on systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root. This problem only affects the 0.8.0 development release of nss-pam-ldapd. Earlier releases are not affected. This problem has been assigned CVE-2011-0438. More details are available at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 Affected users are advised to apply the attached patch, upgrade to 0.8.1 (which will be released shortly), downgrade to 0.7.13 or disable nss-pam-ldapd's PAM module. [Less]

Russell Sim discovered a serious security vulnerability in development release 0.8.0 of nss-pam-ldapd that allows authentication with an incorrect password for local user accounts. The PAM module will erroneously return a success code when the user ... [More] cannot be found in LDAP. Exploitability depends on the details of the PAM configuration but on systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root. This problem only affects the 0.8.0 development release of nss-pam-ldapd. Earlier releases are not affected. This problem has been assigned CVE-2011-0438. More details are available at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 Affected users are advised to apply the attached patch, upgrade to 0.8.1 (which will be released shortly), downgrade to 0.7.13 or disable nss-pam-ldapd's PAM module. [Less]

Russell Sim discovered a serious security vulnerability in development release 0.8.0 of nss-pam-ldapd that allows authentication with an incorrect password for local user accounts. The PAM module will erroneously return a success code when the user ... [More] cannot be found in LDAP. Exploitability depends on the details of the PAM configuration but on systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root. This problem only affects the 0.8.0 development release of nss-pam-ldapd. Earlier releases are not affected. This problem has been assigned CVE-2011-0438. More details are available at: http://arthurdejong.org/nss-pam-ldapd/news.html#20110309 Affected users are advised to apply the attached patch, upgrade to 0.8.1 (which will be released shortly), downgrade to 0.7.13 or disable nss-pam-ldapd's PAM module. [Less]

I'm pleased to announce release 0.8.0 of nss-pam-ldapd. The 0.8 branch is a new development branch of nss-pam-ldapd in which a number of new features and implementations are introduced. As such, it isn't the most stable version of nss-pam-ldapd but ... [More] users are urged to try out this release and send feedback. The 0.7 branch will be supported with bug and security fixes at least until the 0.8 branch has stabilised. A summary of the changes since 0.7.13 (some more details further on): * include Solaris support developed by Ted C. Cheng of Symas Corporation * include an experimental partial implementation of nslcd in Python (disabled by default, see --enable-pynslcd configure option) * implement a nss_min_uid option to filter user entries returned by LDAP * implement a rootpwmodpw option that allows the root user to change a user's password without a password prompt * try to update the shadowLastChange attribute on password change * all log messages now include a description of the request to more easily track problems when not running in debug mode * allow attribute mapping expressions for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information * numerous compatibility improvements * add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to allow more control of hot to install the PAM module * add --with-nss-flavour and --with-nss-maps configure options to support other C libraries and limit which NSS modules to install * allow tilde (~) in user and group names * improvements to the timeout mechanism (connections are now actively timed out using the idle_timelimit option) * set socket timeouts on the LDAP connection to disconnect regardless of LDAP and possibly TLS handling of connection * better disconnect/reconnect handling of error conditions * some code improvements and cleanups and several smaller bug fixes * all internal string comparisons are now also case sensitive (e.g. for providing DN to username lookups, etc) * signal handling in the daemon was changed to behave more reliable across different threading implementations * nslcd will now always return a positive authorisation result during authentication to avoid confusing the PAM module when it is only used for authorisation * Debian packaging improvement: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20101230 Support for Solaris was kindly provided by Ted C. Cheng of Symas Corporation but was subsequently updated to simplify the code and to support both Glibc and Solaris with the same code base. As such, the current code isn't very well tested and contributions on this are most welcome. There have been reports of problems with the communication between the NSS module and nslcd. The idea with pynslcd is to offer an alternative implementation of nslcd that has less and easier to maintain code (most modules are about a third of the size of their C counterpart). This makes it simpler to implement extra features (e.g. caching). The implementation is currently still incomplete (mainly missing configuration file parsing, attribute mapping, proper logging and the rpc, network, netgroup, service, protocol and hostname maps) but work is under way and it already passes most of the basic tests in the test environment. Some more features that may be implemented in the 0.8 series are: * updates of the logging system to rate-limit and more cleanly log warnings * integration of FreeBSD support * implement better filtering of information passed between NSS layer and LDAP server (e.g. make user and group name filtering configurable with regular expression) * investigate switching to using environment variables to disable NSS module * implementation of nested groups If you ar... [Less]

I'm pleased to announce release 0.8.0 of nss-pam-ldapd. The 0.8 branch is a new development branch of nss-pam-ldapd in which a number of new features and implementations are introduced. As such, it isn't the most stable version of nss-pam-ldapd but ... [More] users are urged to try out this release and send feedback. The 0.7 branch will be supported with bug and security fixes at least until the 0.8 branch has stabilised. A summary of the changes since 0.7.13 (some more details further on): * include Solaris support developed by Ted C. Cheng of Symas Corporation * include an experimental partial implementation of nslcd in Python (disabled by default, see --enable-pynslcd configure option) * implement a nss_min_uid option to filter user entries returned by LDAP * implement a rootpwmodpw option that allows the root user to change a user's password without a password prompt * try to update the shadowLastChange attribute on password change * all log messages now include a description of the request to more easily track problems when not running in debug mode * allow attribute mapping expressions for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information * numerous compatibility improvements * add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to allow more control of hot to install the PAM module * add --with-nss-flavour and --with-nss-maps configure options to support other C libraries and limit which NSS modules to install * allow tilde (~) in user and group names * improvements to the timeout mechanism (connections are now actively timed out using the idle_timelimit option) * set socket timeouts on the LDAP connection to disconnect regardless of LDAP and possibly TLS handling of connection * better disconnect/reconnect handling of error conditions * some code improvements and cleanups and several smaller bug fixes * all internal string comparisons are now also case sensitive (e.g. for providing DN to username lookups, etc) * signal handling in the daemon was changed to behave more reliable across different threading implementations * nslcd will now always return a positive authorisation result during authentication to avoid confusing the PAM module when it is only used for authorisation * Debian packaging improvement: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20101230 Support for Solaris was kindly provided by Ted C. Cheng of Symas Corporation but was subsequently updated to simplify the code and to support both Glibc and Solaris with the same code base. As such, the current code isn't very well tested and contributions on this are most welcome. There have been reports of problems with the communication between the NSS module and nslcd. The idea with pynslcd is to offer an alternative implementation of nslcd that has less and easier to maintain code (most modules are about a third of the size of their C counterpart). This makes it simpler to implement extra features (e.g. caching). The implementation is currently still incomplete (mainly missing configuration file parsing, attribute mapping, proper logging and the rpc, network, netgroup, service, protocol and hostname maps) but work is under way and it already passes most of the basic tests in the test environment. Some more features that may be implemented in the 0.8 series are: * updates of the logging system to rate-limit and more cleanly log warnings * integration of FreeBSD support * implement better filtering of information passed between NSS layer and LDAP server (e.g. make user and group name filtering configurable with regular expression) * investigate switching to using environment variables to disable NSS module * implementation of nested groups If you ar... [Less]

I'm pleased to announce release 0.8.0 of nss-pam-ldapd. The 0.8 branch is a new development branch of nss-pam-ldapd in which a number of new features and implementations are introduced. As such, it isn't the most stable version of nss-pam-ldapd but ... [More] users are urged to try out this release and send feedback. The 0.7 branch will be supported with bug and security fixes at least until the 0.8 branch has stabilised. A summary of the changes since 0.7.13 (some more details further on): * include Solaris support developed by Ted C. Cheng of Symas Corporation * include an experimental partial implementation of nslcd in Python (disabled by default, see --enable-pynslcd configure option) * implement a nss_min_uid option to filter user entries returned by LDAP * implement a rootpwmodpw option that allows the root user to change a user's password without a password prompt * try to update the shadowLastChange attribute on password change * all log messages now include a description of the request to more easily track problems when not running in debug mode * allow attribute mapping expressions for the userPassword attribute for passwd, group and shadow entries and by default map it to the unmatchable password ("*") to avoid accidentally leaking password information * numerous compatibility improvements * add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to allow more control of hot to install the PAM module * add --with-nss-flavour and --with-nss-maps configure options to support other C libraries and limit which NSS modules to install * allow tilde (~) in user and group names * improvements to the timeout mechanism (connections are now actively timed out using the idle_timelimit option) * set socket timeouts on the LDAP connection to disconnect regardless of LDAP and possibly TLS handling of connection * better disconnect/reconnect handling of error conditions * some code improvements and cleanups and several smaller bug fixes * all internal string comparisons are now also case sensitive (e.g. for providing DN to username lookups, etc) * signal handling in the daemon was changed to behave more reliable across different threading implementations * nslcd will now always return a positive authorisation result during authentication to avoid confusing the PAM module when it is only used for authorisation * Debian packaging improvement: implement configuring SASL authentication using Debconf, based on a patch by Daniel Dehennin More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20101230 Support for Solaris was kindly provided by Ted C. Cheng of Symas Corporation but was subsequently updated to simplify the code and to support both Glibc and Solaris with the same code base. As such, the current code isn't very well tested and contributions on this are most welcome. There have been reports of problems with the communication between the NSS module and nslcd. The idea with pynslcd is to offer an alternative implementation of nslcd that has less and easier to maintain code (most modules are about a third of the size of their C counterpart). This makes it simpler to implement extra features (e.g. caching). The implementation is currently still incomplete (mainly missing configuration file parsing, attribute mapping, proper logging and the rpc, network, netgroup, service, protocol and hostname maps) but work is under way and it already passes most of the basic tests in the test environment. Some more features that may be implemented in the 0.8 series are: * updates of the logging system to rate-limit and more cleanly log warnings * integration of FreeBSD support * implement better filtering of information passed between NSS layer and LDAP server (e.g. make user and group name filtering configurable with regular expression) * investigate switching to using environment variables to disable NSS module * implementation of nested groups If you ar... [Less]

Release 0.7.13 of nss-pam-ldapd has just been made available which fixes a bug in the idle_timelimit disconnecting logic which would result in never disconnecting. This should be a reasonably stable and well tested release. A summary of the changes ... [More] since 0.7.12: * fix handling of idle_timelimit option * fix error code for problem while doing password modification More information on this release can be found at: http://arthurdejong.org/nss-pam-ldapd/news.html#20101211 The 0.7 series is in maintenance mode and will only receive bugfixes and security support. New features are targeted for a 0.8 release. [Less]