(The version sequence apparently goes 0.8.12 -> 0.9.0, with 0.8.13 as a maintenance release.) Pkgsrc changes: * Make sure the .so modules are installed unstripped, so that they can actually be used (need symbol lookup for register functions). * Replace python interpreter in a couple of installed scripts * Point nslcd to config file in PKG_SYSCONFDIR, but install example config in example directory. Upstream changes: changes from 0.9.6 to 0.9.7 --------------------------- * check existence of TLS certificate and key files on start-up * fix password policy expiration handling when password was about to expire (thanks Mathieu Baeumler for tracking this down) * fix updating of shadowLastChange attribute when chasing referrals (thanks Vasilis Tsiligiannis) * add an pam_authc_ppolicy option to allows completely disabling ppolicy handling (thanks Mathieu Baeumler) * fix handling of nss_disable_enumeration (thanks Andrew W Elble for pointing this out) * display human readable password expiry messages (thanks Mathieu Baeumler) * fix error when changing PAM user name (thanks #<9D>#<91>) * support substring expressions ${var:offset:length} in attribute mapping (thanks Giovanni Mascellani) * also honor the ignorecase option in PAM changes from 0.9.5 to 0.9.6 --------------------------- * fix a race condition in signal handling during start-up that would cause nslcd to exit if a signal (such as SIGUSR1 that can be sent when network status changes) is received * fix signed integer overflow on 32bit systems when using objectSid (thanks Geoffrey McRae) * allow longer configuration values (thanks Jed Liu) * add an nss_getgrent_skipmembers option to disable retrieving group members to improve performance in specific environments * add an nss_disable_enumeration option to disable full listing of all users and groups to improve performance in specific environments (thanks Andrew Elble) * implement an innetgr function in the Solaris NSS module changes from 0.9.4 to 0.9.5 --------------------------- * improve test suite (change IP range) * handle situation better when server (or firewall) closed the connection (thanks Tim Harder) * make daemonising a little more robust and try to log more failures * fix integer format strings (thanks Jianhai Luan and Patrick McLean) * documentation updates (thanks Dalibor Pospí#il) * fix range check for search access (thanks David Binderma) * fix a bug in the NSS library when encountering IPv6 addresses in the hosts map (thanks Mark R Bannister) * allow configuring the name of the NSS and PAM modules (--with-module-name) * adjust the Linux OOM (Out-Of-Memory) killer score to avoid killing nslcd (thanks Patrick McLean) * portability improvements (thanks Tim Rice) changes from 0.9.3 to 0.9.4 --------------------------- * also handle password policy information on BIND failure (this makes it possible to distinguish between a wrong password and an expired password) * fix mapping the member attribute to an empty string * any buffers that may have held passwords are cleared before the memory is released * increase buffer size for passwords to support extremely long passwords (thanks ushi) * increase buffer size for DN to support very long names or names with non-ASCII characters * log an error in almost all places where a defined buffer is not large enough to hold the provided data instead of just (sometimes silently) failing * logging improvements (start-up problems, login failures) * small improvement for Solaris changes from 0.9.2 to 0.9.3 --------------------------- * make the dn2uid cache lifetime configurable with the cache configuration option * have the nslcd process only exit after the service is completely available to avoid race conditions in the init script * the nslcd daemon now properly daemonises (double fork) * support mapping the member attribute to an empty string to disable the functionality to do extra lookups for member DN to member uid translations * implement deref control handling to request the LDAP server to dereference group member attribute values to uid values * support getting built-in groups from Active Directory (thanks Davy Defaud) * fix for pwdLastSet attribute value handling (thanks Joshua Shire) * fix a possible crash in the NSS module when retrieving large networks entries (thanks Lukas Slebodnik) * correct NSS h_errnop return value to indicate buffer too small (thanks Nalin Dahyabhai) * fix a bug with shadow values on 64-bit architectures * automatically detect DragonFly as using the FreeBSD NSS interface (thanks Francois Tigeot) * add a build-time test to see if krb5 is thread-safe * various minor bug fixes changes from 0.9.1 to 0.9.2 --------------------------- * increase password value buffer size (by Bersl) * avoid more broken pipe errors by using a low timeout when aborting reading requested information from nslcd (thanks John Sullivan) * only log broken pipe errors in debugging mode * fix buffer overflow on interrupted read that is hard to trigger (thanks John Sullivan) * use clock_gettime() with CLOCK_MONOTONIC for timeout calculations to avoid clock adjustments errors (thanks John Sullivan) * extend test suite to test for CLOCK_MONOTONIC and timed IO timeout calculations * increase the maximum number of base statements per map to 31 * use larger nslcd send buffers to reduce the number of write operations in nslcd and consequently the number of reads in the NSS and PAM modules (thanks John Sullivan) * also run invalidators after first successful search * various clean-ups, portability improvements and fixes for compiler warnings * import configure checks of Python modules * provide a script for setting up slapd in a test environment, automatically loaded with the required test data * add script for evaluating test environment availability * portability improvements in the test scripts and test environment changes from 0.9.0 to 0.9.1 --------------------------- * rename the nscd_invalidate option to reconnect_invalidate and allow flushing the nfsidmap cache with the new option * implement an -n switch to not daemonise (by Caleb Callaway) * nslcd will now return partial shadow information to non-root users to avoid authorisation problems with setgid shadow authentication helpers with some PAM stacks * nslcd will now retry failing LDAP connections after receiving SIGUSR1 (SIGUSR1 could be sent after re-establishing a network connection) * fix the way manual pages are installed in some situations * the code for the nslcd utilities (getent.ldap and chsh.ldap) is now installed in {prefix}/share/nslcd-utils * improve error and help output of the getent.ldap command * documentation updates * a number of tests were added and existing tests were extended * fix for a potential, small memory leak in PAM module regarding temporary saving of old password * a large number of bug fixes and improvements in pynslcd * hide passwords from the pynslcd debug output * support start_tls, pam_password_prohibit_message, nss_initgroups_ignoreusers and nss_min_uid in pynslcd * fix rootpwmodpw handling in pynslcd * complete a basic PAM implementation in pynslcd (some things such as shadow attribute checking remain to be implemented) * clean up the caching functionality in pynslcd (functionality is still disabled) changes from 0.8.12 to 0.9.0 ---------------------------- * backwards incompatible change to the communications protocol between nslcd and NSS and PAM modules to use network byte order to be able to work on mixed endian multiarch systems * netgroup lookups now makes a distinction between empty netgroups and non-existing netgroups * the PAM protocol is now more consistent (cleaner support for password modification by root, have all request parameters in the same order and limit the information returned from the call) * request and handle password policy controls on LDAP authentication * implement support for nested groups which can be enabled with the nss_nested_groups option (thanks Steve Hill) * add a log option to configure log level and logging to plain files * add an nscd_invalidate option to invalidate the nscd cache after recovering from LDAP connection problems (to clear any negative cache entries) * allow trimming expressions with ${foo#bar} syntax in attribute mapping expressions (thanks Thorsten Glaser) * pynslcd supports trimming expressions with full shell glob matching * support password modification in pynslcd * support children search scope for systems that have it * add a getent.ldap utility to perform nslcd queries bypassing the libc NSS stack * implement functionality for changing user information and provide a chsh.ldap utility to allow users to change their login shell * remove deprecated use_sasl, reconnect_tries, reconnect_maxsleeptime and tls_checkpeer options which have been replaced long ago * allow names with one character in default validnames option and allow parentheses (taken from Fedora packages) * fall back to updating the lastChange attribute with the normal LDAP connection * dump full nslcd configuration at debug level on start-up * export an _nss_ldap_version symbol in the NSS module to make finding version mismatches easier (the NSS module version is logged from nslcd) * documentation improvements * update the coding style for the C source code to follow a more modern and commonly used coding convention * some parts of the code were refactored or rewritten to take into account the changes within the software (e.g. configuration file handling, reduction in the number of system calls for normal communication) * numerous smaller fixes * portability and robustness improvements to the tests * implement lookup_netgroup and lookup_shadow test commands for systems that cannot use getent to query these * guess the value for --with-pam-seclib-dir configure option if it is not specified * temporary disable the caching functionality of pynslcd * usability improvements in the pynslcd implementation * various fixes for Solaris
119 lines
3.5 KiB
Makefile
119 lines
3.5 KiB
Makefile
# $NetBSD: Makefile,v 1.2 2012/12/13 18:20:29 ftigeot Exp $
|
|
|
|
DISTNAME= nss-pam-ldapd-0.9.7
|
|
CATEGORIES= databases
|
|
MASTER_SITES= http://arthurdejong.org/nss-pam-ldapd/
|
|
|
|
MAINTAINER= pkgsrc-users@NetBSD.org
|
|
HOMEPAGE= http://arthurdejong.org/nss-pam-ldapd/
|
|
COMMENT= LDAP client for nsswitch
|
|
LICENSE= gnu-lgpl-v2
|
|
|
|
NSLCD_USER?= nslcd
|
|
NSLCD_GROUP?= nslcd
|
|
|
|
PKG_USERS= ${NSLCD_USER}:${NSLCD_GROUP}
|
|
PKG_GROUPS= ${NSLCD_GROUP}
|
|
PKG_USERS_VARS+= NSLCD_USER
|
|
PKG_GROUPS_VARS+= NSLCD_GROUP
|
|
|
|
.include "../../mk/bsd.prefs.mk"
|
|
.include "options.mk"
|
|
|
|
USE_TOOLS+= autoconf
|
|
GNU_CONFIGURE= yes
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
|
|
CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/nslcd.conf
|
|
CONFIGURE_ARGS+= --with-nslcd-pidfile=${NSLCD_PIDFILE}
|
|
CONFIGURE_ARGS+= --with-nslcd-socket=${NSLCD_SOCKET}
|
|
CONFIGURE_ARGS+= --with-ldap-lib=openldap
|
|
CONFIGURE_ARGS+= --with-nss-ldap-soname=${NSS_LDAP_SONAME}
|
|
CONFIGURE_ARGS+= --with-pam-seclib-dir=${PREFIX}/lib/security
|
|
.if ${OPSYS} == "NetBSD" || ${OPSYS} == "DragonFly"
|
|
CONFIGURE_ARGS+= --with-nss-flavour=freebsd
|
|
.endif
|
|
|
|
REPLACE_PYTHON+= utils/chsh.py
|
|
REPLACE_PYTHON+= utils/getent.py
|
|
|
|
# Don't stip the .so objects, they will then be useless
|
|
# e.g. because nss_module_register can't be looked up
|
|
INSTALL_UNSTRIPPED= yes
|
|
|
|
FILES_SUBST+= PIDFILE=${NSLCD_PIDFILE}
|
|
|
|
RCD_SCRIPTS+= nslcd
|
|
|
|
EGDIR= ${PREFIX}/share/examples/${PKGBASE}
|
|
VARDIR= ${VARBASE}/run/nslcd
|
|
CONF_FILES= ${EGDIR}/nslcd.conf ${PKG_SYSCONFDIR}/nslcd.conf
|
|
|
|
NSLCD_PIDFILE?= ${VARDIR}/nslcd.pid
|
|
NSLCD_SOCKET?= ${VARDIR}/socket
|
|
BUILD_DEFS+= VARBASE NSLCD_PIDFILE NSLCD_SOCKET
|
|
|
|
INSTALL_MAKE_FLAGS+= NSLCD_CONF_PATH=${PKG_SYSCONFDIR}/nslcd.conf
|
|
|
|
# Install FreeBSD's nss_compat.c and later patch it
|
|
pre-patch:
|
|
${CP} ${FILESDIR}/nss_compat.c ${WRKSRC}/compat
|
|
|
|
pre-configure:
|
|
cd ${WRKSRC} && autoconf
|
|
|
|
post-install:
|
|
${CHMOD} 0644 ${DESTDIR}${EGDIR}/nslcd.conf
|
|
|
|
.if ${OPSYS} == "NetBSD"
|
|
# Otherwise PAM_EXTERN ends up "static" and -O2 optimizes everything away
|
|
CFLAGS+= -DNO_STATIC_MODULES
|
|
|
|
INSTALL_TEMPLATES= INSTALL.nss
|
|
DEINSTALL_TEMPLATES= DEINSTALL.nss
|
|
.endif
|
|
|
|
# NSS_LDAP_SONAME is used by both the NSS client and the server(!)
|
|
.if ${OPSYS} == "NetBSD"
|
|
NSS_LDAP_SONAME= nss_ldap.so.0
|
|
.elif ${OPSYS} == "FreeBSD" || ${OPSYS} == "DragonFly" || ${OPSYS} == "SunOS"
|
|
NSS_LDAP_SONAME= nss_ldap.so.1
|
|
.else
|
|
NSS_LDAP_SONAME= libnss_ldap.so.2
|
|
.endif
|
|
|
|
PLIST_SUBST+= NSS_LDAP_SONAME=${NSS_LDAP_SONAME:Q}
|
|
|
|
# PAM_LDAP_SONAME is used only by the PAM client, but define it here for consistency
|
|
.if ${OPSYS} == "SunOS"
|
|
PAM_LDAP_SONAME= pam_ldap.so.1
|
|
.else
|
|
PAM_LDAP_SONAME= pam_ldap.so
|
|
.endif
|
|
|
|
PLIST_SUBST+= PAM_LDAP_SONAME=${PAM_LDAP_SONAME:Q}
|
|
|
|
SUBST_CLASSES+= fix-paths
|
|
SUBST_STAGE.fix-paths= pre-configure
|
|
SUBST_MESSAGE.fix-paths=Fixing config file path
|
|
SUBST_FILES.fix-paths= man/*.[0-9] man/*.[0-9].xml
|
|
SUBST_SED.fix-paths= -e 's|/etc/nslcd.conf|${PKG_SYSCONFDIR}/nslcd.conf|g'
|
|
|
|
# Thread Local Storage seems not to work on NetBSD-4
|
|
.if !empty(MACHINE_PLATFORM:MNetBSD-[0-4].*-*)
|
|
SUBST_CLASSES+= disable-tls
|
|
SUBST_STAGE.disable-tls=post-configure
|
|
SUBST_MESSAGE.disable-tls=disabling TLS
|
|
SUBST_FILES.disable-tls=config.h
|
|
SUBST_SED.disable-tls= -e 's|/\* \#undef __thread \*/|\#define __thread /\*\*/|'
|
|
.endif
|
|
|
|
SUBST_CLASSES+= usergroup
|
|
SUBST_STAGE.usergroup= post-patch
|
|
SUBST_FILES.usergroup= nslcd.conf
|
|
SUBST_SED.usergroup= -e 's/^uid nslcd/uid ${NSLCD_USER}/'
|
|
SUBST_SED.usergroup+= -e 's/^gid nslcd/gid ${NSLCD_GROUP}/'
|
|
|
|
.include "../../lang/python/application.mk"
|
|
.include "../../databases/openldap-client/buildlink3.mk"
|
|
.include "../../mk/bsd.pkg.mk"
|