include $(PKGROOT)/Include
PKG_NAME = nss_ldap
-PKG_VER = 262
+PKG_VER = 265
PKG_REL = 1
PKG_MAINTAINER =
PKG_LICENSE = LGPLv2+
PKG_SUMMARY = NSS library and PAM module for LDAP.
-PKG_BUILD_DEPS+= cyrus-sasl-devel openldap-devel
+PKG_BUILD_DEPS+= autoconf automake cyrus-sasl-devel openldap-devel
define PKG_DESCRIPTION
This package includes two LDAP access clients: nss_ldap and \
PKG_TARBALL = $(THISAPP).tar.gz
-CONFIGURE_OPTIONS = \
- --prefix=/ \
- --libdir=/usr/lib \
+PKG_PATCHES = \
+ nss_ldap-265-depth.patch \
+ nss_ldap-254-soname.patch \
+ nss_ldap-257-mozldap.patch \
+ nss_ldap-259-res_init.patch \
+ nss_ldap-264-checkcase.patch \
+ nss_ldap-265-ent_internal.patch \
+ nss_ldap-264-cloexec.patch \
+ nss_ldap-265-local_users.patch \
+ nss_ldap-265-erange.patch \
+ nss_ldap-265-initgroups-minimum_uid.patch \
+ nss_ldap-265-fix-uninit.patch \
+ nss_ldap-265-padl-bug-418.patch \
+ nss_ldap-265-setnetgrent.patch
+
+CONFIGURE_OPTIONS += \
--sysconfdir=/etc \
- --mandir=/usr/share/man \
- --with-ldap=openldap \
- --enable-schema-mapping
+ --libdir=/lib \
+ --with-ldap-lib=openldap \
+ --enable-rfc2307bis \
+ --with-ldap-conf-file=/etc/nss_ldap.conf \
+ --with-ldap-secret-file=/etc/nss_ldap.secret
+
+define STAGE_PREPARE_CMDS
+ cd $(DIR_APP) && sed -i -e 's,^ldap.conf$$,nss_ldap.conf,g' *.5
+ cd $(DIR_APP) && sed -i -e 's,^/etc/ldap\.,/etc/nss_ldap.,g' *.5
+ cd $(DIR_APP) && sed -i -e 's,ldap.secret,nss_ldap.secret,g' *.5
+ cd $(DIR_APP) && sed -i -e 's,(ldap.conf),(nss_ldap.conf),g' *.5
+
+ # Fix call for vers_string.
+ cd $(DIR_APP) && sed -e "s/vers_string/.\/&/g" -i Makefile*
+
+ cd $(DIR_APP) && autoreconf -vfi
+endef
+
+STAGE_BUILD_TARGETS += LDFLAGS="-Wl,-z,nodelete"
+
+STAGE_INSTALL_TARGETS += LIBC_VERS=$(PKG_VER)
define STAGE_INSTALL_CMDS
# Remove awkward directory
rm -rvf $(BUILDROOT)/usr/usr
+ mv -v $(BUILDROOT)/lib/* $(BUILDROOT)/usr/lib
+ rm -rvf $(BUILDROOT)/lib
+ ln -svf libnss_ldap-$(PKG_VER).so $(BUILDROOT)/usr/lib/libnss_ldap.so
+
+ rm -vf $(BUILDROOT)/etc/nsswitch.ldap
+
+ cd $(DIR_APP) && sed 's|dc=padl|dc=example|g' ldap.conf > \
+ $(BUILDROOT)/etc/nss_ldap.conf
+ touch $(BUILDROOT)/etc/nss_ldap.secret
+
ln -svf libnss_ldap.so.2 $(BUILDROOT)/usr/lib/libnss_ldap.so
endef
--- /dev/null
+Set the soname which glibc expects us to have.
+--- nss_ldap-254/configure.in 2007-02-26 16:40:53.000000000 -0500
++++ nss_ldap-254/configure.in 2007-02-26 16:40:47.000000000 -0500
+@@ -92,7 +92,7 @@
+ nss_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`"
+ CPPFLAGS="$CPPFLAGS -I. -DHPUX"
+ TARGET_OS=HPUX ;;
+-linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
++linux*) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux -Wl,-soname=libnss_ldap.so.2" ;;
+ *) nss_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic" ;;
+ esac
+
--- /dev/null
+Go back to using AC_TRY_COMPILE to detect <ldap_ssl.h>, which requires
+that <ldap.h> be included before it.
+
+Use the draft-specified value "0" instead of a preprocessor define which
+mozldap doesn't provide (LDAP_OPT_SUCCESS).
+
+Don't fail to compile if libldap doesn't provide ldap_create_control(),
+just fail at run-time if we try to use it.
+
+Only try to set non-portable options that the libldap which is being used
+supports.
+
+Don't depend on ldap_alloc_ber_with_options() being there; fall back to
+either ber_alloc_t() or the deprecated der_alloc().
+
+Learn about Mozilla LDAP 6.
+
+Prefer </usr/include/nss.h> to <nss.h>, because <nss.h> can also be the
+security toolkit used by Mozilla's LDAP SDK rather than libc's nsswitch
+header, and if we've set the include path, we could be screwed.
+
+Strip off any '/' which appears in our hostname before passing it to
+ldap_init().
+
+diff -up nss_ldap/configure.in nss_ldap/configure.in
+--- nss_ldap/configure.in 2007-11-14 14:21:54.000000000 -0500
++++ nss_ldap/configure.in 2007-11-14 15:01:32.000000000 -0500
+@@ -41,7 +41,7 @@ dnl
+ AC_ARG_ENABLE(configurable-krb5-ccname-env, [ --enable-configurable-krb5-ccname-env enable configurable Kerberos V credentials cache name (putenv method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_ENV)])
+ AC_ARG_ENABLE(configurable-krb5-ccname-gssapi, [ --enable-configurable-krb5-ccname-gssapi enable configurable Kerberos V credentials cache name (gssapi method)], [AC_DEFINE(CONFIGURE_KRB5_CCNAME) AC_DEFINE(CONFIGURE_KRB5_CCNAME_GSSAPI)])
+
+-AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
++AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|mozilla|netscape5|netscape4|netscape3|umich|openldap]])
+ AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of LDAP SDK])
+ AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file],
+ [ NSS_LDAP_PATH_CONF="$with_ldap_conf_file" ],
+@@ -132,17 +132,18 @@ AC_SUBST(NSS_LDAP_LDFLAGS)
+
+ AC_CHECK_HEADERS(lber.h)
+ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
+-AC_CHECK_HEADERS(ldap_ssl.h)
++dnl AC_CHECK_HEADERS(ldap_ssl.h)
+
+-dnl AC_MSG_CHECKING(for ldap_ssl.h)
+-dnl AC_TRY_COMPILE([#include <sys/types.h>
+-dnl #include <ldap.h>
+-dnl #include <ldap_ssl.h>], ,
+-dnl [
+-dnl AC_MSG_RESULT(yes),
+-dnl AC_DEFINE(HAVE_LDAP_SSL_H, 1)
+-dnl ],
+-dnl AC_MSG_RESULT(no))
++AC_MSG_CHECKING(for ldap_ssl.h)
++AC_TRY_COMPILE([
++ #include <sys/types.h>
++ #include <ldap.h>
++ #include <ldap_ssl.h>],[],
++ [
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(HAVE_LDAP_SSL_H,1,[Define if you have <ldap_ssl.h>.])
++ ],
++ AC_MSG_RESULT(no))
+
+ # For HP-UX and AIX we use private API, the headers for which
+ # are included locally. We need to do something to stop both
+@@ -150,7 +151,8 @@ dnl AC_MSG_RESULT(no))
+ case "$target_os" in
+ aix*) AC_CHECK_HEADERS(irs.h usersec.h) ;;
+ hpux*) AC_CHECK_HEADERS(nsswitch.h) ;;
+- *) AC_CHECK_HEADERS(nss.h)
++ *) AC_CHECK_HEADERS(/usr/include/nss.h)
++ AC_CHECK_HEADERS(nss.h)
+ AC_CHECK_HEADERS(nsswitch.h)
+ AC_CHECK_HEADERS(irs.h) ;;
+ esac
+@@ -297,6 +299,9 @@ if test -z "$found_ldap_lib" -a \( $with
+ AC_CHECK_LIB(lber, main)
+ AC_CHECK_LIB(ldap, main, [LIBS="-lldap $LIBS" found_ldap_lib=yes],,$LIBS)
+ fi
++if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = mozilla \); then
++AC_CHECK_LIB(ldap60, main, LIBS="-lssldap60 -lprldap60 -lldap60 -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
++fi
+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
+ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread)
+ fi
+@@ -331,6 +336,7 @@ AC_CHECK_FUNCS(ldap_init ldap_get_lderrn
+ AC_CHECK_FUNCS(ldap_ld_free ldap_explode_rdn ldap_set_option ldap_get_option)
+ AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s ldap_initialize ldap_search_ext)
+ AC_CHECK_FUNCS(ldap_create_control ldap_create_page_control ldap_parse_page_control)
++AC_CHECK_FUNCS(ldap_alloc_ber_with_options ber_alloc_t der_alloc)
+ if test "$enable_ssl" \!= "no"; then
+ AC_CHECK_FUNCS(ldapssl_client_init ldap_start_tls_s ldap_pvt_tls_set_option ldap_start_tls)
+ fi
+diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h
+--- nss_ldap/ldap-nss.h 2007-11-14 14:21:54.000000000 -0500
++++ nss_ldap/ldap-nss.h 2007-11-14 15:05:57.000000000 -0500
+@@ -58,6 +58,8 @@
+ #include <nss_common.h>
+ #include <nss_dbdefs.h>
+ #include <nsswitch.h>
++#elif defined(HAVE__USR_INCLUDE_NSS_H)
++#include </usr/include/nss.h>
+ #elif defined(HAVE_NSS_H)
+ #include <nss.h>
+ #elif defined(HAVE_IRS_H)
+diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
+--- nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
++++ nss_ldap/ldap-nss.c 2007-11-14 14:21:54.000000000 -0500
+@@ -1069,6 +1069,23 @@ do_init_session (LDAP ** ld, const char
+ defport = atoi (p + 1);
+ uri = uribuf;
+ }
++ else
++ {
++ size_t urilen = strlen(uri);
++
++ if (urilen >= sizeof (uribuf))
++ {
++ return NSS_UNAVAIL;
++ }
++
++ memcpy (uribuf, uri, urilen);
++ uribuf[urilen] = '\0';
++
++ if ((urilen > 0) && (uribuf[urilen - 1] == '/'))
++ uribuf[urilen - 1] = '\0';
++
++ uri = uribuf;
++ }
+
+ # ifdef HAVE_LDAP_INIT
+ *ld = ldap_init (uri, defport);
+@@ -1537,7 +1554,7 @@ do_open (void)
+
+ if (ldap_get_option
+ (__session.ls_conn, LDAP_OPT_PROTOCOL_VERSION,
+- &version) == LDAP_OPT_SUCCESS)
++ &version) == 0)
+ {
+ if (version < LDAP_VERSION3)
+ {
+@@ -1697,6 +1714,7 @@ do_ssl_options (ldap_config_t * cfg)
+ }
+ #endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+
++#ifdef LDAP_OPT_X_TLS_CACERTFILE
+ if (cfg->ldc_tls_cacertfile != NULL)
+ {
+ /* ca cert file */
+@@ -1709,7 +1727,9 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
++#ifdef LDAP_OPT_X_TLS_CACERTDIR
+ if (cfg->ldc_tls_cacertdir != NULL)
+ {
+ /* ca cert directory */
+@@ -1722,7 +1742,9 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
++#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ /* require cert? */
+ if (cfg->ldc_tls_checkpeer > -1)
+ {
+@@ -1735,7 +1757,9 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
++#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+ if (cfg->ldc_tls_ciphers != NULL)
+ {
+ /* set cipher suite, certificate and private key: */
+@@ -1748,7 +1772,9 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
++#ifdef LDAP_OPT_X_TLS_CERTFILE
+ if (cfg->ldc_tls_cert != NULL)
+ {
+ rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE, cfg->ldc_tls_cert);
+@@ -1759,7 +1785,9 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
++#ifdef LDAP_OPT_X_TLS_CERTFILE
+ if (cfg->ldc_tls_key != NULL)
+ {
+ rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE, cfg->ldc_tls_key);
+@@ -1770,6 +1798,7 @@ do_ssl_options (ldap_config_t * cfg)
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
++#endif
+
+ debug ("<== do_ssl_options");
+
+diff -up nss_ldap/pagectrl.c nss_ldap/pagectrl.c
+--- nss_ldap/pagectrl.c 2007-08-03 00:51:09.000000000 -0400
++++ nss_ldap/pagectrl.c 2007-11-14 14:21:54.000000000 -0500
+@@ -38,6 +38,17 @@ static char rcsId[] = "$Id: pagectrl.c,v
+ #define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319"
+ #endif
+
++#ifndef HAVE_LDAP_CREATE_CONTROL
++#define ldap_create_control _nss_ldap_fail_to_create_control
++static int
++ldap_create_control(const char *oid, BerElement *value,
++ int iscritical, LDAPControl ** ctrlp)
++{
++ *ctrlp = NULL;
++ return LDAP_ENCODING_ERROR;
++}
++#endif
++
+ #ifndef HAVE_LDAP_CREATE_PAGE_CONTROL
+ /*---
+ ldap_create_page_control
+@@ -78,9 +89,6 @@ static char rcsId[] = "$Id: pagectrl.c,v
+
+ ---*/
+
+-#ifndef HAVE_LDAP_CREATE_CONTROL
+-#error LDAP client library does not support ldap_create_control()
+-#else
+ int
+ ldap_create_page_control (LDAP * ld,
+ unsigned long pagesize,
+@@ -97,10 +105,24 @@ ldap_create_page_control (LDAP * ld,
+ return (LDAP_PARAM_ERROR);
+ }
+
++#ifdef HAVE_LDAP_ALLOC_BER_WITH_OPTIONS
+ if ((ber = ldap_alloc_ber_with_options (ld)) == NULL)
+ {
+ return (LDAP_NO_MEMORY);
+ }
++#elif defined(HAVE_BER_ALLOC_T) && defined(LBER_USE_DER)
++ if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL)
++ {
++ return (LDAP_NO_MEMORY);
++ }
++#elif defined(HAVE_DER_ALLOC)
++ if ((ber = der_alloc()) == NULL)
++ {
++ return (LDAP_NO_MEMORY);
++ }
++#else
++ return (LDAP_NO_MEMORY);
++#endif
+
+ tag = ber_printf (ber, "{i", pagesize);
+ if (tag == LBER_ERROR)
+@@ -126,7 +148,6 @@ exit:
+ ber_free (ber, 1);
+ return (LDAP_ENCODING_ERROR);
+ }
+-#endif /* HAVE_LDAP_CREATE_CONTROL */
+ #endif /* HAVE_LDAP_CREATE_PAGE_CONTROL */
+
+ #ifndef HAVE_LDAP_PARSE_PAGE_CONTROL
+@@ -154,9 +175,6 @@ exit:
+
+ ---*/
+
+-#ifndef HAVE_LDAP_CREATE_CONTROL
+-#error LDAP client library does not support ldap_create_control()
+-#else
+ int
+ ldap_parse_page_control (LDAP * ld,
+ LDAPControl ** ctrls,
+@@ -222,5 +240,4 @@ foundPageControl:
+
+ return (LDAP_SUCCESS);
+ }
+-#endif /* HAVE_LDAP_CREATE_CONTROL */
+ #endif /* HAVE_LDAP_PARSE_PAGE_CONTROL */
--- /dev/null
+Workaround for a NetworkManager/Upstart combination making things
+interesting. When an application starts before the network is up,
+/etc/resolv.conf is empty, causing the application to attempt to use a
+local resolver. When the network comes up later, /etc/resolv.conf gets
+populated with nameserver addresses, but the application doesn't re-read
+it. This screws nss_ldap later on, because the LDAP client library
+needs to be able to resolve the directory server's address, but it can't
+without a local resolver which is probably not started.
+
+diff -up nss_ldap-259/configure.in nss_ldap-259/configure.in
+--- nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
++++ nss_ldap-259/configure.in 2008-04-16 10:42:15.000000000 -0400
+@@ -176,6 +176,7 @@ AC_CHECK_HEADERS(alignof.h)
+ AC_CHECK_HEADERS(rpc/rpcent.h)
+ AC_CHECK_HEADERS(sys/byteorder.h)
+ AC_CHECK_HEADERS(sys/un.h)
++AC_CHECK_HEADERS(sys/stat.h)
+ AC_CHECK_HEADERS(libc-lock.h)
+ AC_CHECK_HEADERS(bits/libc-lock.h)
+ AC_CHECK_HEADERS(sasl.h sasl/sasl.h)
+diff -up nss_ldap-259/ldap-nss.c nss_ldap-259/ldap-nss.c
+--- nss_ldap-259/ldap-nss.c 2008-04-16 10:42:15.000000000 -0400
++++ nss_ldap-259/ldap-nss.c 2008-04-16 10:48:02.000000000 -0400
+@@ -44,10 +44,16 @@ static char rcsId[] =
+ #include <syslog.h>
+ #include <signal.h>
+ #include <fcntl.h>
++#ifdef HAVE_SYS_STAT_H
++#include <sys/stat.h>
++#endif
+ #include <sys/time.h>
+ #include <sys/socket.h>
+ #include <sys/param.h>
+ #include <errno.h>
++#ifdef HAVE_RESOLV_H
++#include <resolv.h>
++#endif
+ #ifdef HAVE_SYS_UN_H
+ #include <sys/un.h>
+ #endif
+@@ -1021,8 +1027,31 @@ _nss_ldap_close (void)
+ do_close ();
+ }
+
++static void
++_nss_ldap_res_init (const char *uri)
++{
++ if (strncmp(uri, "ldapi://", 8) != 0)
++ {
++ struct stat st;
++ static time_t last_mtime = (time_t) -1;
++#if defined(HAVE_RESOLV_H) && defined(_PATH_RESCONF)
++ NSS_LDAP_DEFINE_LOCK (_nss_ldap_res_init_lock);
++ NSS_LDAP_LOCK (_nss_ldap_res_init_lock);
++ if (stat(_PATH_RESCONF, &st) == 0)
++ {
++ if (last_mtime != st.st_mtime)
++ {
++ last_mtime = st.st_mtime;
++ res_init();
++ }
++ }
++ NSS_LDAP_UNLOCK (_nss_ldap_res_init_lock);
++#endif
++ }
++}
++
+ static NSS_STATUS
+-do_init_session (LDAP ** ld, const char *uri, int defport)
++do_init_session (LDAP ** ld, const char *uri, int defport, int res_init_hack)
+ {
+ int rc;
+ int ldaps;
+@@ -1050,6 +1079,8 @@ do_init_session (LDAP ** ld, const char
+ uri = uribuf;
+ }
+
++ if (res_init_hack)
++ _nss_ldap_res_init(uri);
+ rc = ldap_initialize (ld, uri);
+ #else
+ if (strncasecmp (uri, "ldap://", sizeof ("ldap://") - 1) != 0)
+@@ -1075,6 +1106,8 @@ do_init_session (LDAP ** ld, const char
+ defport = atoi (p + 1);
+ uri = uribuf;
+ }
++ if (res_init_hack)
++ _nss_ldap_res_init(NULL);
+ # ifdef HAVE_LDAP_INIT
+ *ld = ldap_init (uri, defport);
+ # else
+@@ -1346,7 +1379,8 @@ do_init (void)
+
+ stat = do_init_session (&__session.ls_conn,
+ cfg->ldc_uris[__session.ls_current_uri],
+- cfg->ldc_port);
++ cfg->ldc_port,
++ cfg->ldc_resolv_conf_res_init_hack);
+ if (stat != NSS_SUCCESS)
+ {
+ debug ("<== do_init (failed to initialize LDAP session)");
+diff -up nss_ldap-259/ldap-nss.h nss_ldap-259/ldap-nss.h
+--- nss_ldap-259/ldap-nss.h 2008-04-16 10:45:49.000000000 -0400
++++ nss_ldap-259/ldap-nss.h 2008-04-16 10:45:52.000000000 -0400
+@@ -400,6 +400,9 @@ struct ldap_config
+ time_t ldc_mtime;
+
+ char **ldc_initgroups_ignoreusers;
++
++ /* disable the do-res_init()-on-resolv.conf-changes hack */
++ unsigned int ldc_resolv_conf_res_init_hack;
+ };
+
+ typedef struct ldap_config ldap_config_t;
+diff -up nss_ldap-259/util.c nss_ldap-259/util.c
+--- nss_ldap-259/util.c 2008-04-16 10:48:08.000000000 -0400
++++ nss_ldap-259/util.c 2008-04-16 10:50:14.000000000 -0400
+@@ -680,6 +680,8 @@ NSS_STATUS _nss_ldap_init_config (ldap_c
+ }
+ }
+
++ result->ldc_resolv_conf_res_init_hack = 1;
++
+ return NSS_SUCCESS;
+ }
+
+@@ -1204,6 +1206,19 @@ _nss_ldap_readconfig (ldap_config_t ** p
+ {
+ t = &result->ldc_srv_domain;
+ }
++ else if (!strcasecmp (k, "nss_resolv_conf_res_init_hack"))
++ {
++ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
++ || !strcasecmp (v, "true"))
++ {
++ result->ldc_resolv_conf_res_init_hack = 1;
++ }
++ else if (!strcasecmp (v, "off") || !strcasecmp (v, "no")
++ || !strcasecmp (v, "false"))
++ {
++ result->ldc_resolv_conf_res_init_hack = 0;
++ }
++ }
+ else
+ {
+ /*
--- /dev/null
+Search attribute which are not case-sensitive in a directory, but which
+are in local files on a glibc-based system:
+
+ posixAccount.uid: struct passwd.pw_name
+ shadowAccount.uid: struct shadow.sp_namp
+ posixGroup.cn: struct group.gr_name
+ ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto
+ ipProtocol.cn: struct protoent.p_name
+ ipHost.cn: OK, actually not case-sensitive in local files
+ ipNetwork.cn: OK, actually not case-sensitive in local files
+ rfc822MailAlias.cn: OK, actually not case-sensitive in local files
+ oncRpc.cn: struct rpcent.r_name
+ nisNetgroup.cn: N/A
+ nisMap.nisMapName: N/A
+ nisObject.nisMapName: N/A
+ nisObject.cn: N/A
+ ieee802Device: N/A
+ bootableDevice: N/A
+ automount.automountKey: no defined structure
+
+This patch adds additional logic to reject the result of a search if the
+field in the result which corresponds to the original request differs
+by case from the actual request (for example, when a search for a group
+named "bob" turns up a group named "Bob"), but currently only covers
+glibc-style systems. Upstream #399.
+
+diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c
+--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400
+@@ -1201,7 +1201,8 @@
+ char *buffer, size_t buflen, int *errnop)
+ {
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam,
+- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP);
++ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP)
++ AND_REQUIRE_MATCH(name, result->gr_name);
+ }
+ #elif defined(HAVE_NSSWITCH_H)
+ static NSS_STATUS
+diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
+--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400
+@@ -4300,4 +4300,17 @@
+ return lderrno;
+ }
+
++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
++ const char *requested_name,
++ const char *actual_name)
++{
++ if ((result == NSS_SUCCESS) &&
++ (requested_name != NULL) &&
++ (actual_name != NULL) &&
++ (strcasecmp(requested_name, actual_name) == 0) &&
++ (strcmp(requested_name, actual_name) != 0)) {
++ return NSS_NOTFOUND;
++ }
++ return result;
++}
+
+diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h
+--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400
+@@ -911,4 +911,8 @@
+ #ifdef CONFIGURE_KRB5_KEYTAB
+ int do_init_krb5_cache(ldap_config_t *config);
+ #endif /* CONFIGURE_KRB5_KEYTAB */
++NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
++ const char *requested_name,
++ const char *actual_name);
++
+ #endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */
+diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h
+--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400
++++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400
+@@ -94,6 +94,7 @@
+
+ #define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
+ ldap_args_t a; \
++ NSS_STATUS s; \
+ if (buflen < req_buflen) { \
+ *errnop = ERANGE; \
+ return NSS_TRYAGAIN; \
+@@ -101,7 +102,8 @@
+ LA_INIT(a); \
+ LA_STRING(a) = name; \
+ LA_TYPE(a) = LA_TYPE_STRING; \
+- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser);
++ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \
++ return s
+ #define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
+ ldap_args_t a; \
+ if (buflen < req_buflen) { \
+@@ -199,4 +201,7 @@
+
+ #endif /* HAVE_NSSWITCH_H */
+
++#define AND_REQUIRE_MATCH(name,field) \
++ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s
++
+ #endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */
+diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c
+--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400
++++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400
+@@ -113,7 +113,8 @@
+ {
+ LOOKUP_NAME (name, result, buffer, buflen, errnop,
+ _nss_ldap_filt_getprotobyname, LM_PROTOCOLS,
+- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT);
++ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT)
++ AND_REQUIRE_MATCH(name, result->p_name);
+ }
+ #endif
+
+diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c
+--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400
+@@ -243,7 +243,8 @@
+ char *buffer, size_t buflen, int *errnop)
+ {
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
+- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
++ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
++ AND_REQUIRE_MATCH(name, result->pw_name);
+ }
+ #elif defined(HAVE_NSSWITCH_H)
+ static NSS_STATUS
+diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c
+--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400
+@@ -123,7 +123,8 @@
+ {
+ LOOKUP_NAME (name, result, buffer, buflen, errnop,
+ _nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc,
+- LDAP_NSS_BUFLEN_DEFAULT);
++ LDAP_NSS_BUFLEN_DEFAULT)
++ AND_REQUIRE_MATCH(name, result->r_name);
+ }
+ #endif
+
+diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c
+--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400
++++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400
+@@ -230,16 +230,20 @@
+ char *buffer, size_t buflen, int *errnop)
+ {
+ ldap_args_t a;
++ NSS_STATUS s;
+
+ LA_INIT (a);
+ LA_STRING (a) = name;
+ LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING;
+ LA_STRING2 (a) = proto;
+
+- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
+- ((proto == NULL) ? _nss_ldap_filt_getservbyname
+- : _nss_ldap_filt_getservbynameproto),
+- LM_SERVICES, _nss_ldap_parse_serv);
++ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
++ ((proto == NULL) ? _nss_ldap_filt_getservbyname
++ : _nss_ldap_filt_getservbynameproto),
++ LM_SERVICES, _nss_ldap_parse_serv);
++ s = _nss_ldap_expect_name(s, name, result->s_name);
++ s = _nss_ldap_expect_name(s, proto, result->s_proto);
++ return s;
+ }
+ #endif
+
+diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c
+--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400
++++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400
+@@ -149,7 +149,8 @@
+ char *buffer, size_t buflen, int *errnop)
+ {
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam,
+- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT);
++ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT)
++ AND_REQUIRE_MATCH (name, result->sp_namp);
+ }
+ #elif defined(HAVE_NSSWITCH_H)
+ static NSS_STATUS
+--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400
++++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400
+@@ -384,7 +384,7 @@
+ _nss_ldap_filt_getautomntbyname,
+ LM_AUTOMOUNT,
+ _nss_ldap_parse_automount);
+-
++ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL);
+ if (stat != NSS_NOTFOUND)
+ {
+ break; /* on success or error other than not found */
--- /dev/null
+diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
+--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400
++++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400
+@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd)
+ /* we must let dup2 close sd for us to avoid race conditions
+ * in multithreaded code.
+ */
++ fcntl (dummyfd, F_SETFD, 1L);
+ do_dupfd (dummyfd, sd);
+ do_closefd (dummyfd);
+ }
--- /dev/null
+Check if we can use thread-local storage, and if we can, use one to avoid a
+self-deadlock if we recurse into our own host resolution routines from inside
+of another lookup attempt. Revised from patch originally submitted for #340.
+
+diff -up nss_ldap-265/config.h.in nss_ldap-265/config.h.in
+--- nss_ldap-265/config.h.in 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/config.h.in 2010-01-08 17:29:49.000000000 -0500
+@@ -304,6 +304,11 @@
+ /* Define to 1 if you have the <thread.h> header file. */
+ #undef HAVE_THREAD_H
+
++/* Define if your toolchain supports thread-local storage, which can be used
++ for detecting self- and mutual-recursion problems when performing
++ host/address lookups. */
++#undef HAVE_THREAD_LOCAL_STORAGE
++
+ /* Define to 1 if you have the <unistd.h> header file. */
+ #undef HAVE_UNISTD_H
+
+diff -up nss_ldap-265/configure.in nss_ldap-265/configure.in
+--- nss_ldap-265/configure.in 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/configure.in 2010-01-08 17:29:49.000000000 -0500
+@@ -27,6 +27,14 @@ dnl
+
+ AC_ARG_ENABLE(debugging, [ --enable-debugging enable debug code ], [AC_DEFINE(DEBUG)])
+
++AC_MSG_CHECKING(for thread-local storage)
++AC_TRY_COMPILE([],[static __thread int _nss_ldap_recursion_count;],
++ [
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(HAVE_THREAD_LOCAL_STORAGE,1,[Define if your toolchain supports thread-local storage, which can be used for detecting self- and mutual-recursion problems when performing host/address lookups.])
++ ],
++ AC_MSG_RESULT(no))
++
+ dnl
+ dnl --enable-paged-results is now deprecated; if this option is set,
+ dnl then paged results will be enabled by default. However, it can
+diff -up nss_ldap-265/depth.c nss_ldap-265/depth.c
+--- nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
++++ nss_ldap-265/depth.c 2010-01-08 17:29:49.000000000 -0500
+@@ -0,0 +1,24 @@
++#include "config.h"
++#include "depth.h"
++
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++static __thread int depth = 0;
++
++int
++_nss_ldap_get_depth (void)
++{
++ return depth;
++}
++
++int
++_nss_ldap_inc_depth (void)
++{
++ return ++depth;
++}
++
++int
++_nss_ldap_dec_depth (void)
++{
++ return --depth;
++}
++#endif
+diff -up nss_ldap-265/depth.h nss_ldap-265/depth.h
+--- nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
++++ nss_ldap-265/depth.h 2010-01-08 17:29:49.000000000 -0500
+@@ -0,0 +1,3 @@
++int _nss_ldap_get_depth (void);
++int _nss_ldap_inc_depth (void);
++int _nss_ldap_dec_depth (void);
+diff -up nss_ldap-265/ldap-hosts.c nss_ldap-265/ldap-hosts.c
+--- nss_ldap-265/ldap-hosts.c 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/ldap-hosts.c 2010-01-08 17:33:38.000000000 -0500
+@@ -66,6 +66,7 @@ static char rcsId[] =
+ #include "ldap-nss.h"
+ #include "ldap-hosts.h"
+ #include "util.h"
++#include "depth.h"
+
+ #ifdef HAVE_PORT_AFTER_H
+ #include <port_after.h>
+@@ -280,6 +281,11 @@ _nss_ldap_gethostbyname2_r (const char *
+ }
+ #endif
+
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
++
+ LA_INIT (a);
+ LA_STRING (a) = name;
+ LA_TYPE (a) = LA_TYPE_STRING;
+@@ -355,6 +361,11 @@ _nss_ldap_gethostbyaddr_r (struct in_add
+ NSS_STATUS status;
+ ldap_args_t a;
+
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
++
+ /* if querying by IPv6 address, make sure the address is "normalized" --
+ * it should contain no leading zeros and all components of the address.
+ * still we can't fit an IPv6 address in an int, so who cares for now.
+@@ -391,6 +402,11 @@ _nss_ldap_sethostent_r (nss_backend_t *
+ #endif
+ #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
++
+ LOOKUP_SETENT (hosts_context);
+ }
+ #endif
+@@ -403,6 +419,11 @@ _nss_ldap_endhostent_r (nss_backend_t *
+ #endif
+ #if defined(HAVE_NSS_H) || defined(HAVE_NSSWITCH_H)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
++
+ LOOKUP_ENDENT (hosts_context);
+ }
+ #endif
+@@ -435,6 +456,11 @@ _nss_ldap_gethostent_r (struct hostent *
+ {
+ NSS_STATUS status;
+
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
++
+ status = _nss_ldap_getent (&hosts_context,
+ result,
+ buffer,
+diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:29:49.000000000 -0500
+@@ -93,6 +93,7 @@ static char rcsId[] =
+ #include "util.h"
+ #include "dnsconfig.h"
+ #include "pagectrl.h"
++#include "depth.h"
+
+ #if defined(HAVE_THREAD_H) && !defined(_AIX)
+ #ifdef HAVE_PTHREAD_ATFORK
+@@ -578,6 +579,9 @@ _nss_ldap_enter (void)
+ debug ("==> _nss_ldap_enter");
+
+ NSS_LDAP_LOCK (__lock);
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ _nss_ldap_inc_depth();
++#endif
+
+ /*
+ * Patch for Debian Bug 130006:
+@@ -623,6 +627,9 @@ _nss_ldap_leave (void)
+ }
+ #endif /* HAVE_SIGACTION */
+
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ _nss_ldap_dec_depth();
++#endif
+ NSS_LDAP_UNLOCK (__lock);
+
+ debug ("<== _nss_ldap_leave");
+diff -up nss_ldap-265/Makefile.am nss_ldap-265/Makefile.am
+--- nss_ldap-265/Makefile.am 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/Makefile.am 2010-01-08 17:31:45.000000000 -0500
+@@ -23,7 +23,7 @@ nss_ldap_so_SOURCES = ldap-nss.c ldap-pw
+ ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
+ ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
+ dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c \
+- vers.c
++ vers.c depth.c
+
+ nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@
+
--- /dev/null
+Distinguish between contexts that are somewhat persistent and one-offs
+which are used to fulfill part of a larger request. Proposed for #322.
+
+diff -up nss_ldap-265/ldap-grp.c nss_ldap-265/ldap-grp.c
+--- nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
++++ nss_ldap-265/ldap-grp.c 2010-01-08 17:38:38.000000000 -0500
+@@ -859,7 +859,7 @@ ng_chase (const char *dn, ldap_initgroup
+ LA_STRING (a) = dn;
+ LA_TYPE (a) = LA_TYPE_STRING;
+
+- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+ {
+ return NSS_UNAVAIL;
+ }
+@@ -931,7 +931,7 @@ ng_chase_backlink (const char ** members
+ LA_STRING_LIST (a) = filteredMembersOf;
+ LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
+
+- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+ {
+ free (filteredMembersOf);
+ return NSS_UNAVAIL;
+diff -up nss_ldap-265/ldap-netgrp.c nss_ldap-265/ldap-netgrp.c
+--- nss_ldap-265/ldap-netgrp.c 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265/ldap-netgrp.c 2010-01-08 17:38:38.000000000 -0500
+@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
+ LA_TYPE (a) = LA_TYPE_STRING;
+ LA_STRING (a) = nested; /* memberNisNetgroup */
+
+- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
++ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
+ {
+ debug ("<== do_innetgr_nested: failed to initialize context");
+ return NSS_UNAVAIL;
+diff -up nss_ldap-265/ldap-nss.c nss_ldap-265/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c 2010-01-08 17:38:38.000000000 -0500
++++ nss_ldap-265/ldap-nss.c 2010-01-08 17:40:37.000000000 -0500
+@@ -2043,6 +2043,7 @@ _nss_ldap_ent_context_init_locked (ent_c
+ debug ("<== _nss_ldap_ent_context_init_locked");
+ return NULL;
+ }
++ ctx->ec_internal = 0;
+ *pctx = ctx;
+ }
+ else
+@@ -2104,7 +2105,8 @@ do_context_release (ent_context_t * ctx,
+
+ LS_INIT (ctx->ec_state);
+
+- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
++ if (!ctx->ec_internal &&
++ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+ {
+ do_close ();
+ }
+@@ -2113,6 +2115,16 @@ do_context_release (ent_context_t * ctx,
+ free (ctx);
+ }
+
++ent_context_t *
++_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
++{
++ ent_context_t *ctx;
++ ctx = _nss_ldap_ent_context_init_locked (pctx);
++ if (ctx != NULL)
++ ctx->ec_internal = 1;
++ return ctx;
++}
++
+ /*
+ * Clears a given context; we require the caller
+ * to acquire the lock.
+diff -up nss_ldap-265/ldap-nss.h nss_ldap-265/ldap-nss.h
+--- nss_ldap-265/ldap-nss.h 2010-01-08 17:38:38.000000000 -0500
++++ nss_ldap-265/ldap-nss.h 2010-01-08 17:42:34.000000000 -0500
+@@ -574,6 +574,8 @@ struct ent_context
+ ldap_state_t ec_state; /* eg. for services */
+ int ec_msgid; /* message ID */
+ LDAPMessage *ec_res; /* result chain */
++ int ec_internal; /* this context is just a part of a larger
++ * query for information */
+ ldap_service_search_descriptor_t *ec_sd; /* current sd */
+ struct berval *ec_cookie; /* cookie for paged searches */
+ int ec_eof; /* reached notional end of file */
+@@ -769,6 +771,15 @@ ent_context_t *_nss_ldap_ent_context_ini
+ ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
+
+ /*
++ * _nss_ldap_ent_context_init_internal_locked() has the same
++ * behaviour, except it marks the context as one that's being
++ * used to fetch additional data used in answering a request, i.e.
++ * that this isn't the "main" context
++ */
++
++ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
++
++/*
+ * _nss_ldap_ent_context_release() is used to manually free a context
+ */
+ void _nss_ldap_ent_context_release (ent_context_t **);
--- /dev/null
+If we were supposed to set ERANGE, do so again, in case do_close() or
+_nss_ldap_leave() overwrote errno with some other value. Upstream #421.
+
+diff -up nss_ldap-265/ldap-nss.ce nss_ldap-265/ldap-nss.c
+--- nss_ldap-265/ldap-nss.ce 2010-07-08 16:17:07.000000000 -0400
++++ nss_ldap-265/ldap-nss.c 2010-07-08 16:17:03.000000000 -0400
+@@ -3572,6 +3572,10 @@ _nss_ldap_getbyname (ldap_args_t * args,
+
+ debug ("<== _nss_ldap_getbyname");
+
++ /* at least for the cases where we know we have to return ERANGE */
++ if (stat == NSS_TRYAGAIN)
++ do_map_errno(stat, errnop);
++
+ return stat;
+ }
+
--- /dev/null
+--- nss_ldap-265/ldap-nss.c.orig 2010-10-18 22:11:18.112108167 +1100
++++ nss_ldap-265/ldap-nss.c 2010-10-18 22:13:20.030169868 +1100
+@@ -3449,6 +3449,7 @@
+
+ debug ("==> _nss_ldap_getbyname");
+
++ memset(&ctx, 0, sizeof(ent_context_t));
+ ctx.ec_msgid = -1;
+ ctx.ec_cookie = NULL;
+ ctx.ec_eof = 0;
--- /dev/null
+This builds off of the recursion checking introduced by -depth to avoid
+a deadlock if/when we recurse into ourselves while looking up the user's
+UID to compare it to the configured value. Revision for upstream #341.
+
+diff -ur nss_ldap-265/ldap-nss.c nss_ldap-265-2/ldap-nss.c
+--- nss_ldap-265/ldap-nss.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.c 2010-08-19 17:25:09.000000000 -0400
+@@ -34,6 +34,7 @@
+ #endif
+
+ #include <assert.h>
++#include <pwd.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
+@@ -4356,20 +4357,55 @@
+ int
+ _nss_ldap_test_initgroups_ignoreuser (const char *user)
+ {
+- char **p;
++ char **p, *buf;
++ size_t buflen;
++ struct passwd pwd, *passwd;
+
+- if (__config == NULL)
+- return 0;
+-
+- if (__config->ldc_initgroups_ignoreusers == NULL)
+- return 0;
+-
+- for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ if (__config != NULL)
+ {
+- if (strcmp (*p, user) == 0)
+- return 1;
++ if (__config->ldc_initgroups_ignoreusers != NULL)
++ for (p = __config->ldc_initgroups_ignoreusers; *p != NULL; p++)
++ {
++ if (strcmp (*p, user) == 0)
++ return 1;
++ }
++ if (__config->ldc_initgroups_minimum_uid >= 0)
++ {
++ memset (&pwd, 0, sizeof(pwd));
++ buflen = 0x100;
++ buf = malloc(buflen);
++ if (buf != NULL)
++ {
++ passwd = NULL;
++ while ((getpwnam_r(user, &pwd, buf, buflen, &passwd) != 0) &&
++ (passwd != &pwd))
++ {
++ switch (errno)
++ {
++ case ERANGE:
++ buflen *= 2;
++ free(buf);
++ if (buflen > 0x100000)
++ buf = NULL;
++ else
++ buf = malloc(buflen);
++ break;
++ case EINTR:
++ continue;
++ break;
++ default:
++ free(buf);
++ buf = NULL;
++ break;
++ }
++ if (buf == NULL)
++ break;
++ }
++ }
++ if ((passwd == &pwd) && (passwd->pw_uid < 1000))
++ return 1;
++ }
+ }
+-
+ return 0;
+ }
+
+diff -ur nss_ldap-265/ldap-nss.h nss_ldap-265-2/ldap-nss.h
+--- nss_ldap-265/ldap-nss.h 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-nss.h 2010-08-19 17:18:47.000000000 -0400
+@@ -400,6 +400,7 @@
+ time_t ldc_mtime;
+
+ char **ldc_initgroups_ignoreusers;
++ int ldc_initgroups_minimum_uid;
+
+ /* disable the do-res_init()-on-resolv.conf-changes hack */
+ unsigned int ldc_resolv_conf_res_init_hack;
+diff -ur nss_ldap-265/ldap-pwd.c nss_ldap-265-2/ldap-pwd.c
+--- nss_ldap-265/ldap-pwd.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/ldap-pwd.c 2010-08-19 16:40:43.000000000 -0400
+@@ -49,6 +49,7 @@
+ #include "ldap-nss.h"
+ #include "ldap-pwd.h"
+ #include "util.h"
++#include "depth.h"
+
+ #ifdef HAVE_PORT_AFTER_H
+ #include <port_after.h>
+@@ -242,6 +243,10 @@
+ struct passwd * result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->pw_name);
+@@ -261,6 +266,10 @@
+ struct passwd *result,
+ char *buffer, size_t buflen, int *errnop)
+ {
++#ifdef HAVE_THREAD_LOCAL_STORAGE
++ if (_nss_ldap_get_depth() > 0)
++ return NSS_STATUS_UNAVAIL;
++#endif
+ LOOKUP_NUMBER (uid, result, buffer, buflen, errnop, _nss_ldap_filt_getpwuid,
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ }
+diff -ur nss_ldap-265/nss_ldap.5 nss_ldap-265-2/nss_ldap.5
+--- nss_ldap-265/nss_ldap.5 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/nss_ldap.5 2010-08-19 17:19:23.000000000 -0400
+@@ -445,6 +445,14 @@
+ to return NSS_STATUS_NOTFOUND if called with a listed users as
+ its argument.
+ .TP
++.B nss_initgroups_minimum_uid <uid>
++This option directs the
++.B nss_ldap
++implementation of
++.BR initgroups(3)
++to return NSS_STATUS_NOTFOUND if called with a user whose UID is
++below the value given as the argument.
++.TP
+ .B nss_getgrent_skipmembers <yes|no>
+ Specifies whether or not to populate the members list in
+ the group structure for group lookups. If very large groups
+diff -ur nss_ldap-265/util.c nss_ldap-265-2/util.c
+--- nss_ldap-265/util.c 2010-08-19 17:16:51.000000000 -0400
++++ nss_ldap-265-2/util.c 2010-08-19 17:18:33.000000000 -0400
+@@ -669,6 +669,7 @@
+ result->ldc_reconnect_maxsleeptime = LDAP_NSS_MAXSLEEPTIME;
+ result->ldc_reconnect_maxconntries = LDAP_NSS_MAXCONNTRIES;
+ result->ldc_initgroups_ignoreusers = NULL;
++ result->ldc_initgroups_minimum_uid = -1;
+
+ for (i = 0; i <= LM_NONE; i++)
+ {
+@@ -1180,6 +1181,10 @@
+ break;
+ }
+ }
++ else if (!strcasecmp (k, NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID))
++ {
++ result->ldc_initgroups_minimum_uid = atoi(v);
++ }
+ else if (!strcasecmp (k, NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS))
+ {
+ if (!strcasecmp (v, "on") || !strcasecmp (v, "yes")
+diff -ur nss_ldap-265/util.h nss_ldap-265-2/util.h
+--- nss_ldap-265/util.h 2009-11-06 05:28:08.000000000 -0500
++++ nss_ldap-265-2/util.h 2010-08-19 17:19:46.000000000 -0400
+@@ -92,6 +92,7 @@
+ #define NSS_LDAP_KEY_PAGESIZE "pagesize"
+ #define NSS_LDAP_KEY_INITGROUPS "nss_initgroups"
+ #define NSS_LDAP_KEY_INITGROUPS_IGNOREUSERS "nss_initgroups_ignoreusers"
++#define NSS_LDAP_KEY_INITGROUPS_MINIMUM_UID "nss_initgroups_minimum_uid"
+ #define NSS_LDAP_KEY_GETGRENT_SKIPMEMBERS "nss_getgrent_skipmembers"
+
+ /* more reconnect policy fine-tuning */
+--- nss_ldap-265/ldap.conf 2005-08-17 18:35:13.000000000 -0400
++++ nss_ldap-265/ldap.conf 2006-02-09 14:14:05.000000000 -0500
+@@ -177,8 +177,8 @@
+ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+ #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
+-# Just assume that there are no supplemental groups for these named users
+-nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
++# Just assume that there are no supplemental groups for system users.
++nss_initgroups_minimum_uid 500
+
+ # attribute/objectclass mapping
+ # Syntax:
--- /dev/null
+Configure by default to fail, quickly, requests for supplemental group
+information for "root", "ldap", and assorted other users as whom services
+run or who are mentioned by the DBus configuration. This patch will never
+be pretty.
+
+--- pam_ldap-180/ldap.conf 2005-08-17 18:35:13.000000000 -0400
++++ pam_ldap-180/ldap.conf 2006-02-09 14:14:05.000000000 -0500
+@@ -177,6 +177,9 @@
+ #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+ #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
++# Just assume that there are no supplemental groups for these named users
++nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse,rpc,rpcuser,nobody
++
+ # attribute/objectclass mapping
+ # Syntax:
+ #nss_map_attribute rfc2307attribute mapped_attribute
--- /dev/null
+diff -up nss_ldap-253/ldap-nss.c.padl418 nss_ldap-253/ldap-nss.c
+--- nss_ldap-253/ldap-nss.c.padl418 2010-11-17 14:08:24.000000000 +0000
++++ nss_ldap-253/ldap-nss.c 2010-11-18 00:34:22.000000000 +0000
+@@ -1272,9 +1272,14 @@ do_init (void)
+ }
+ }
+
+- __session.ls_conn = NULL;
++ /* looks like a problem. could be initialized, but not connected */
++ if (__session.ls_state != LS_UNINITIALIZED)
++ {
++ debug ("<== do_init (already initialized)");
++ goto initialized;
++ }
++
+ __session.ls_timestamp = 0;
+- __session.ls_state = LS_UNINITIALIZED;
+
+ #if defined(HAVE_PTHREAD_ONCE) && defined(HAVE_PTHREAD_ATFORK)
+ if (pthread_once (&__once, do_atfork_setup) != 0)
+@@ -1394,6 +1399,7 @@ do_init (void)
+
+ debug ("<== do_init (initialized session)");
+
++initialized:
+ return NSS_SUCCESS;
+ }
+
+@@ -1614,6 +1620,7 @@ do_open (void)
+ }
+ else
+ {
++ syslog(LOG_ERR, "nss-ldap: do_open: do_start_tls failed:stat=%d", stat);
+ do_close ();
+ debug ("<== do_open (TLS startup failed)");
+ return stat;
--- /dev/null
+--- nss_ldap/ldap-netgrp.c
++++ nss_ldap/ldap-netgrp.c
+@@ -372,7 +372,7 @@ _nss_ldap_setnetgrent (char *group, stru
+ _nss_ldap_filt_getnetgrent, LM_NETGROUP,
+ _nss_ldap_load_netgr);
+
+- if (stat == NSS_NOTFOUND)
++ if (stat != NSS_SUCCESS)
+ return stat;
+
+ LOOKUP_SETENT (_ngbe);
projects / ipfire-3.x.git / commitdiff
