$Id: ChangeLog,v 1.165 2002/10/18 00:26:26 lukeh Exp $
===============================================================

156	Luke Howard <lukeh@padl.com>

	* fix for bug #119

155	Luke Howard <lukeh@padl.com>

	* proper for for non-expermental password change exop;
	  broke compiling with older SDKs

154	Luke Howard <lukeh@padl.com>

	* fix for bug #115
	* PWEXPIRED fix from Howard Chu

153	Luke Howard <lukeh@padl.com>

	* support non-experimental password change exop
	* patch from Howard Chu to use linker grouping on
	  Solaris

152	Luke Howard <lukeh@padl.com>

	* fix build breakage with OpenLDAP HEAD

151	Luke Howard <lukeh@padl.com>

	* HP-UX port
	* import dlfcn.h on Solaris with Netscape SDK
	* export required symbols only on Linux, HP-UX, Darwin

150	Luke Howard <lukeh@padl.com>

	* added depcomp for new automake

149	Luke Howard <lukeh@padl.com>

	* OS X build fix
	* alias for RACF password changing
	* use LDAP_MOD_ADD when changing NDS passwords rather
	  than LDAP_MOD_REPLACE; NDS documentation indicates
	  that this should work, and this is required for RACF.
	* BUG#101: should build with recent automake/autoconf

148	Luke Howard <lukeh@padl.com>

	* check for Netscape SDK without SSL; don't require
	  pthreads for these

147	Luke Howard <lukeh@padl.com>

	* make shadow.lstchg default -1 to not force
 	  password change when now shadow information present

146	Luke Howard <lukeh@padl.com>

	* fix for BUG#91 / Debian Bug #144175: adhere to
	  convention of the last change of the password being
	  on the Unix Epoch implying a forced password change,
	  and fix error propagation with expiring passwords

145	Luke Howard <lukeh@padl.com>

	* patch for building on OpenLDAP 1.x from Nalin
	  at RedHat

144	Luke Howard <lukeh@padl.com>

	* avoid use of temporary variable when reporting
	  non-existent configuration file; fix for local
	  format string vulnerability reported at:
 http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html
	* log correct configuration file name when reporting
	  missing "host" directive

143	Luke Howard <lukeh@padl.com>

	* specify runtime path for LDAP library correctly to
	  native Solaris linker

142	Luke Howard <lukeh@padl.com>

	* use native linker on Solaris

141	Luke Howard <lukeh@padl.com>

	* support for headers in /usr/include/pam (Darwin)
	* integrated fix for BUG#79

140	Luke Howard <lukeh@padl.com>

	* further fix for recall #8362: do not turn
	  all users into template users

139	Luke Howard <lukeh@padl.com>

	* fix for recall #8362: support template users 
	  when try_first_pass succeeds

138	Luke Howard <lukeh@padl.com>

	* when flushing cached session data, check to see
	  whether the application has requested a different
	  configuration file due to a changed service

137	Luke Howard <lukeh@padl.com>

	* treat exceeded time and size limits as a successful
	  return code; we may still have a single entry back.
	* BUG#77: make configuration file paths configurable

136	Luke Howard <lukeh@padl.com>

	* module stack fixes from Thorsten Kukuk

135	Luke Howard <lukeh@padl.com>

	* revert UID check to getuid() per patch from
	  Erich Schneider
	
134	Luke Howard <lukeh@padl.com>

	* per suggest from Bill Welliver, check for
	  effective UID being 0, not real UID
	* added ber_free() after ber_flatten() in 
	  extended operation password changing code

133	Luke Howard <lukeh@padl.com>

	* Patch from Ed Golden for group_dn: set error
	  code correctly

132	Luke Howard <lukeh@padl.com>

	* Patch from Bob Guo to discard trailing whitespace
	  in configuration file

131	Luke Howard <lukeh@padl.com>

	* allow "*" wildcard value to be present in host
	  attribute
	* added ignore_unknown_user option to all module
	  functions; if the user could not be found and this
	  option is set, PAM_IGNORE will be returned instead
	  of PAM_USER_UNKNOWN

130	Luke Howard <lukeh@padl.com>

	* don't return PAM_AUTH_ERR for authorization errors;
	  return PAM_PERM_DENIED
	* reverted patch in pam_ldap-114: if a user doesn't
	  exist in LDAP, pam_sm_acct_mgmt() returns
	  PAM_IGNORE, rather than PAM_SUCCESS.
	* HEADS UP: in default configuration, disable checking
	  the host attribute. This must now be manually
	  enabled with pam_check_host_attr in ldap.conf.
	* HEADS UP: if checking the host attribute is
	  enabled, and a user does not have any values for
	  the host attribute, do not allow them to login.
	  This avoids the ugly situation of having to add
	  a dummy, invalid value for the host attribute for
	  users that were not allowed to login to any host.

129	Luke Howard <lukeh@padl.com>

	* don't return PAM_SYSTEM_ERR for LDAP-related errors
	* return PAM_AUTHINFO_UNAVAIL for directory-related
	  (but not configuration-related) errors so that
	  stacking modules will work properly (thanks to
	  Brian Nelson <bnelson@cis.ysu.edu> for pointing this
	  out)

127	Luke Howard <lukeh@padl.com>

	* fixed segfault bug if nss_base_passwd contains
	  a scope but no filter (BUG#69)

126	Luke Howard <lukeh@padl.com>

	* fixed rebind prototype in pam_ldap.h for new
	  OpenLDAP client library

125	Luke Howard <lukeh@padl.com>

	* added ldap.conf stanza for AIX
	* added configurable checking host host attribute
	  (pam_check_host_attr in ldap.conf)

124	Luke Howard <lukeh@padl.com>

	* note in ldap.conf that the default encryption
	  scheme for changing passwords is none (let
	  the server do it) (BUG#65)
	* pass NULL as session handle for SSL options;
	  they are set globally

123	Luke Howard <lukeh@padl.com>

	* support for new OpenLDAP rebind procedure
	* do not try to open /etc/ldap.secret unless root
	* use LDAP_OPT_NETWORK_TIMEOUT if available

122	Luke Howard <lukeh@padl.com>

	* make buildable with Sun's C compiler

121	Luke Howard <lukeh@padl.com>

	* escape username only, not entire filter

120	Luke Howard <lukeh@padl.com>

	* escape search filter to avoid wildcards etc
	* put prototypes back in, where did they go?

119	Luke Howard <lukeh@padl.com>

	* with password change exop, use bind password not encoded
	  old password for old password
	* added --disable-ssl option to configure for Debian
	* patch from Helmut Wirth <wirth@bison-soft.de> to allow
	  only a URI to be specified.
	* only set SSL options if we have values for those options

118	Luke Howard <lukeh@padl.com>

	* in _set_ssl_options(), apply the options actually to
	  the current session not a NULL pointer (which apparently
	  worked with ldap_pvt_tls_set_option())

117	Luke Howard <lukeh@padl.com>

	* do not strdup a NULL pointer if we are root
	  when changing passwords

116	Luke Howard <lukeh@padl.com>

	* make sure old authentication token is zeroed
	  out before freeing (now that we are storing the
	  old authentication token privately)

115	Luke Howard <lukeh@padl.com>

	* fix for updating passwords (consistent for Linux/Solaris)

114	Luke Howard <lukeh@padl.com>

	* patch from Brian Nelson <bnelson@cis.ysu.edu>; if
	  a user doesn't exist in LDAP, then make pam_sm_acct_mgmt()
	  return PAM_SUCCESS
	* another patch for correctly updating passwords on
	  Solaris (which doesn't do preliminary password changing
	  the same was as Linux-PAM)

113	Luke Howard <lukeh@padl.com>

	* don't use ldap_pvt_tls_set_option(); it is private API

112	Luke Howard <lukeh@padl.com>

	* SSL fix

111	Luke Howard <lukeh@padl.com>

	* further patch from Tero to fix chfn/chsh
	* further patch from Jarkko for TLS/SSL using
	  OpenLDAP: support for LDAPS, cipher suite
	  selection, client key/cert authentication

110	Luke Howard <lukeh@padl.com>

	* build on Mac OS X FCS; configure --libdir=/Library
	  (this will only work properly on HFS+ volumes)

109	Luke Howard <lukeh@padl.com>

	* patch from Tero Pelander <tpeland@tkukoulu.fi> for
	  testing scope in nss_base_passwd
	* patch from Jarkko Turkulainen <jt@wapit.com> for client
	  side certificate support

108	Luke Howard <lukeh@padl.com>

	* patch from Thorsten Kukuk <kukuk@suse.de>:
	  The problem: pam_ldap does not abort in the second
	  pam_sm_chauthtok call, if we really change the password
	  and the user does not exist in the LDAP database (tested
	  with pam_ldap-105 and pam_ldap-107).

107	Luke Howard <lukeh@padl.com>

	* s/HAVE_LDAP_SET_REBIND_PROC_ARGS/LDAP_SET_REBIND_PROC_ARGS/
	  (typo causing prototype mismatch)

106	Luke Howard <lukeh@padl.com>

	* URI support
	* cleaned up some warnings with older client 
	  libraries

105	Luke Howard <lukeh@padl.com>

	* check for HAVE_LDAP_{SET,GET}_OPTION always

104	Luke Howard <lukeh@padl.com>

	* check for ldap_set_option(), as LDAP_OPT_REFERRALS
	  is defined for OpenLDAP 1.x but without the
	  ldap_set_option() function

103	Luke Howard <lukeh@padl.com>

	* patch from Thomas Noel to handle shadow
	  expiry properly

102	Luke Howard <lukeh@padl.com>

	* define macros LDAP_OPT_{OFF,ON} if
	  not defined
	* make SECSPERDAY 86400LL

101	Luke Howard <lukeh@padl.com>

	* fix uninitialized variable
	* retrieve password policy on actual password
	  change, may not have been done if we were root.

100	Luke Howard <lukeh@padl.com>

	* use -rpath on all platforms except Solaris,
	  not just Linux

99	Luke Howard <lukeh@padl.com>

	* use -shared not --shared
	* compile with -DPIC on FreeBSD

98	Luke Howard <lukeh@padl.com>

	* merged ldap.conf

97	Luke Howard <lukeh@padl.com>

	* %configure -> ./configure

96	Luke Howard <lukeh@padl.com>

	* put some meaningful content in AUTHORS
	* new spec file from Joe Little

95	Luke Howard <lukeh@padl.com>

	* add files for automake happiness

94 	Luke Howard <lukeh@padl.com>

	* default to LDAP protocol version 3
	* documented exop in README
	* link on Solaris with -M mapfile
	* Solaris link with -Wl; will work with
	  gcc only, I think
	* use sysconfdir, not etcdir

93	Luke Howard <lukeh@padl.com>

	* made PAM_CLEAR the default for pam_password,
	  as was originally the case. Don't break
	  existing configurations!

92	Luke Howard <lukeh@padl.com>

	* support for OpenLDAP password change extended
	  operation, if available. Enable with 

		pam_password exop

	  in ldap.conf

91	Luke Howard <lukeh@padl.com>

	* centralized authtok update code. The pam_crypt,
	  pam_ad_passwd, and pam_nds_passwd configuration
	  file keys are deprecated; instead the following
	  configuration file key will be used:

		pam_password [clear|crypt|md5|nds|ad]

	  See README for more information. (NB: The
	  pam_crypt will continue to work so as to not
	  compromise existing deployments.)

90	Luke Howard <lukeh@padl.com>

	* support for correct rebind function prototype
	  with OpenLDAP SDK

89	Luke Howard <lukeh@padl.com>

	* support for connection timeout in Netscape SDK

88	Luke Howard <lukeh@padl.com>

	* support for "referrals" and "restart" in
	  ldap.conf
	* don't use ldap_perror() for logging TLS errors
	* optionally get scope/filter from 
	  "nss_base_passwd" value
	* accept on/yes/true for boolean configuration
	  keys

87	Luke Howard <lukeh@padl.com>

	* support for "timelimit" and "bind_timelimit" in 
	  ldap.conf
	* use "nss_base_passwd" for search base preferentially
	  to "base"
	* fixed code order bug in setting TLS option;
	  introduced by patch in pam_ldap-86

86	Luke Howard <lukeh@padl.com>

	* patches from Norbert Klasen:
	* activate either Start TLS or LDAPS with
	  OpenLDAP 2.x using "ssl start_tls" or
	  "ssl yes" respectively in ldap.conf
	* Active Directory password changing

85	Luke Howard <lukeh@padl.com>

	* patches from David Begley:
	* note about using --with-ldap-lib=netscape4
	* patch to configure (regenerated from configure.in)
	* note about using gnumake
	* linking with lib{plc,plds,nspr}3 libraries for
	  4.1x Netscape SDK
	* use -G not --shared when building shared
	  libraries on Solaris

84	Luke Howard <lukeh@padl.com>

	* fixed typo in pam_ldap.c

83	Luke Howard <lukeh@padl.com>

	* patch from nalin@redhat.com for StartTLS,
	  enforce V3
	* fixed up indenting
	* patch from David Begley to check for netscape4.1 lib

82	Luke Howard <lukeh@padl.com>

	* s/conffile/config; forgot to patch properly

81	Luke Howard <lukeh@padl.com>

	* use MAXPATHLEN instead of PATH_MAX; pam_ldap-80
	  failed on Solaris

80	Luke Howard <lukeh@padl.com>

	* added support for configurable configuration files;
	  you can now specify an alternate configuration file
	  using the config= parameter in pam.conf. This patch
	  was provided by scremer@dohle.com
	* added Solaris-specific linker flag patch from
	  David Begley

79	Luke Howard <lukeh@padl.com>

	* updated shipables for RC

78	Luke Howard <lukeh@padl.com>

	* updated prebuild step for RC

77	Luke Howard <lukeh@padl.com>
	
	* renamed _authenticate() to _do_authentication()
	  to avoid name conflict with ONC RPC headers

76	Luke Howard <lukeh@padl.com>

	* fixes to configure from David Begley;
	  detect LDAP client libraries properly
	* fix to Makefile.am from David Begley;
	  don't delete nss_ldap library on uninstall

75	Luke Howard <lukeh@padl.com>

	* updated README with Solaris crypt(3) FAQ

74	Luke Howard <lukeh@padl.com>

	* fixed support for NDS password changing,
	  from Petr Olivka <Petr.Olivka@vsb.cz>

73	Luke Howard <lukeh@padl.com>

	* added support for OpenLDAP start TLS, from
	  Alex Schlessinger <alex@hq.workspot.com>

72	Luke Howard <lukeh@padl.com>

	* added nasty_ssl_hack() constructor; this
	  dlopens ourself so that we always remain
	  loaded, and ssl_initialized is set across
	  invocations of PAM. Probably the path should
	  not be hardcoded but sourced from config.h.

71	Luke Howard <lukeh@padl.com>

	* call ldapssl_client_init() once only (this doesn't
	  have the desired effect because PAM unloads the
	  library after pam_end() is called)

70	Luke Howard <lukeh@padl.com>

	* in rebind proc, check session->info != NULL
	* in rebind proc, check {user,bind}{dn,pw} != NULL

68	Luke Howard <lukeh@padl.com>

	* initialize tmplattr/tmpluser fields

67	Luke Howard <lukeh@padl.com>

	* check _authenticate() return code before setting
	  template user

66	Luke Howard <lukeh@padl.com>

	* ypldapd locator support is now a configure option

65	Luke Howard <lukeh@padl.com>

	* set shadowLastChange silently (allow it to fail)

64	Luke Howard <lukeh@padl.com>

	* more consistent log messages (removed brackets)
	* set uid to nobody if unreadable from directory
	* support template users so users can login with
	  a name without a local POSIX account.
	* PAM_AUTHTOK_RECOVERY_ERR (not ...RECOVER_ERR) 
	  on Soalris

63	Luke Howard <lukeh@padl.com>

	* return PAM_MAXTRIES if number of tries exceeded

62	Luke Howard <lukeh@padl.com>

	* new spec file from Dan Berry

61	Luke Howard <lukeh@padl.com>

	* patch from norbert.klasen@zdv.uni-tuebingen.de (bug);
	  was logging plaintext password in pam_ldap.c
	* log pam_strerror() not integer status code

60	Luke Howard <lukeh@padl.com>

	* patch from Jungle Lin@judicial.gov.tw to fix
	  logic bug in pam_sm_chauthtok()

59	Luke Howard <lukeh@padl.com>

	* fixed some assumptions in chsh/chfn, need to look
	  further at this though

58	Tom Lear <tom@trap.mtview.ca.us>

	* Debian bug #64217: remove redunant code in pam_ldap.c
	* Debian bug #64220: add minuid and maxuid parameters
	* Debian bug #65295: chsh/chfn implementation

55	Doug Nazar <nazard@dragoninc.on.ca>

	* md5 crypt support
	* rootbinddn support
	* rebind support for openldap
	* async ldap calls for bind
	* use_authtok support
	* autoconf/automake support

51	Luke Howard <lukeh@padl.com>

	* updated spec file

50	Luke Howard <lukeh@padl.com>

	* more patches from Scott Balneaves
	* use PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_REQD
	* return PAM_SUCCESS for pam_sm_open_session()
	* reorganization of shadow code

49	Luke Howard <lukeh@padl.com>

	* more patches from Scott Balneaves; now just check
	  for shadow expiry date rather than shadowAccount
	  object class
	* added deref parameter to ldap.conf for parity with
	  OpenLDAP

48	Luke Howard <lukeh@padl.com>

	* added patch from Scott Balneaves <sbalneav@legalaid.mb.ca>
	  to read shadowAccount attributes

47	Luke Howard <lukeh@padl.com>

	* removed _connect_anonymously() clause when updating
	  shadowLastChange

46	Luke Howard <lukeh@padl.com>

	* incorporated new spec file

44	Luke Howard <lukeh@padl.com>

	* incorporated patch for shadowLastChange attribute

40	Luke Howard <lukeh@padl.com>

	* added support for NDSv8 password changing
	  (this is experimental)

39	Luke Howard <lukeh@padl.com>

	* added some comments in Make.defs about different
	  SDKs

38	Luke Howard <lukeh@padl.com>

	* fixed typo in pam.d/ssh

37	Luke Howard <lukeh@padl.com>

	* merged in BUG#37 branch
	* added Makefile.freebsd

36.BZ37.6	Luke Howard <lukeh@padl.com>

	* updated ChangeLog (this file)

36.BZ37.5	Luke Howard <lukeh@padl.com>

	* included FreeBSD porting fixes

36.BZ37.4	Luke Howard <lukeh@padl.com>

	* send user credentials of bound_as_user is
	  set, rather than if userpw != NULL

36.BZ37.3	Luke Howard <lukeh@padl.com>

	* drop userpw if it is already set

36.BZ37.2	Luke Howard <lukeh@padl.com>

	* fixed reordered include to compile properly

36.BZ37.1	Luke Howard <lukeh@padl.com>

	* patch release with possible fix for BUG#37, where
	  user credentials were not being forwarded to
	  referred servers (whilst password changing)

36   Luke Howard <lukeh@padl.com>

	* added -lresolv to library search path
	* incorporated stein@terminator.net's patches for RPM
	  builds

35   Luke Howard <lukeh@padl.com>

	* put /usr/ucblib back in linker search path on Solaris

33   Luke Howard <lukeh@padl.com>

	* fixed pam_ldap.c to support compiling against an API
	  which conforms to draft-ietf-ldapext-ldap-c-api-02.txt.
	  Should make it easier to work with OpenLDAP 2. Netscape
	  specific extensions are guarded with NETSCAPE_API_EXTENSIONS.

30   Luke Howard <lukeh@padl.com>

	* fixed Make.defs for linking against OpenLDAP libldap
	  (recall #279)
	* more SSL stuff

28   Luke Howard <lukeh@padl.com>

	* added patch from gero@faveve.uni-stuttgart.de for
	  parsing of ldap.conf with tabs
	* various patches hopefully to get SSL to work

27   Luke Howard <lukeh@padl.com>

	* fix for recall 256: free() smasher 

26   Luke Howard <lukeh@padl.com>

	* added commented out flags for non-V3 SDKs

25   Luke Howard <lukeh@padl.com>

	* removed ucblib search path

24   Luke Howard <lukeh@padl.com>

	* compile with -D_REENTRANT and link against -lpthread
	  to satisfy dependancies in libldapssl30. (BUG#7)

23   Luke Howard <lukeh@padl.com>

	* no longer use LDAP_VERSION3 to select API
	  (BUG#6)

21   Luke Howard <lukeh@padl.com>

	* added rebind function
	* various stuff for RC added
	* broke out makefiles
	* ldap.conf keys case-insensitive for compat with
	  OpenLDAP

17   Luke Howard <lukeh@padl.com>

	* force users to change passwords if their account has
	  expired
	* updated mapfile for Solaris

14   Luke Howard <lukeh@padl.com>

	* fall back to /etc/ldap.conf if ypldapd is configured
	  for configuration lookup
	* fixed up pam.conf

13   Luke Howard <lukeh@padl.com>

	* added -lcrypt for Linux

12   Luke Howard <lukeh@padl.com>

	* Use ldap_open() for V2 as ldap_init() doesn't work
	* Support hashing passwords locally for UMich crypt
	  patched server
	* Tested against Microsoft Exchange Server
	* Fixed some errors in ldap.conf and mapfile

11   Luke Howard <lukeh@padl.com>

	* Added support for group membership as in Chris'
	  pam_ldap_auth module; see the pam_groupdn and
	  pam_group_attribute configuration keys.
	* Changed pam_attribute to pam_login_attribute to
	  avoid confusion with pam_group_attribute.
	* Support Netscape password expiration controls
	* Avoid authenticating users with empty passwords,
	  even if the directory server does
	* Fill in pam_sm_{open,close}_session for completeness
	  (they return PAM_IGNORE)

10   Luke Howard <lukeh@padl.com>

	* tested with Linux-PAM 0.57
	* made all functions static
	* added prototypes
	* LDAP connections can be persistent over an entire PAM
	  session through the use of pam_set_data() and
	  pam_get_data()
	* fixed some bugs
	
9   Luke Howard <lukeh@padl.com>

	* first publically available version.