sssd-2.8.1

SSSD 2.8.1 Release Notes

Highlights

Important fixes

• A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.

See full release notes here.

sssd-2.8.0

SSSD 2.8.0 Release Notes

Highlights

General information

• The new D-Bus function ListByAttr() allows the caller to look for users that have an attribute with a certain value. For performance reasons, it is recommended that the attribute is indexed both on the remote server and on the local cache. The sssctl tool now provides the cache-index command to help you manage indexes on the local cache.

New features

• Introduced the dbus function org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit) listing upto limit users matching the filter attr=value.
• sssctl is now able to create, list and delete indexes on the local caches. Indexes are useful for the new D-Bus ListByAttr() function.
• sssctl is now able to read and set each component's debug level independently.

Important fixes

• domains option in [sssd] section can now be completely omitted if domains are enabled via domains/enabled option

Configuration changes

• New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default.
• New option 'ldap_enumeration_refresh_offset' to set the maximum period deviation between enumeration updates. Defaults to 30 seconds.
• New option 'subdomain_refresh_interval_offset' to set the maximum period deviation when refreshing the subdomain list.
• New option 'dyndns_refresh_interval_offset' to set the maximum period deviation when updating the client's DNS entry. Defaults to 0.
• New option 'refresh_expired_interval_offset' to set the maximum period deviation when refreshing expired entries in background.
• New option 'ldap_purge_cache_offset' to set the maximum time deviation between cache cleanups. Defaults to 0.
• Option 'ad_machine_account_password_renewal_opts' now accepts an optional third part as the maximum deviation in the provided period (first part) and initial delay (second part). If the period and initial delay are provided but not the offset, the offset is assumed to be 0. If no part is provided, the default is 86400:750:300.
• override_homedir now recognizes the %h template which is replaced by the original home directory retrieved from the identity provider, but in lower case.

See full release notes here.

sssd-2.7.4

SSSD 2.7.4 Release Notes

Highlights

General information

• Lock-free client support will be only built if libc provides pthread_key_create() and pthread_once(). For glibc this means version 2.34+

See full release notes here.

sssd-2.7.3

SSSD 2.7.3 Release Notes

Highlights

General information

• All SSSD client libraries (nss, pam, etc) won't serialize requests anymore by default, i.e. requests from multiple threads can be executed in parallel. Old behavior (serialization) can be enabled by setting environment variable "SSS_LOCKFREE" to "NO".

See full release notes here.

sssd-2.7.2

SSSD 2.7.2 Release Notes

Highlights

Important fixes

• A serious regression introduced in sssd-2.7.1 that prevented successful authentication of IPA users was fixed.

Configuration changes

• Default value of pac_check changed to check_upn, check_upn_dns_info_ex (for AD and IPA provider).

See full release notes here.

sssd-2.7.1

SSSD 2.7.1 Release Notes

Highlights

General information

• SSSD can now handle multi-valued RDNs if a unique name must be determined with the help of the RDN.

Important fixes

• A regression in pam_sss_gss module causing a failure if KRB5CCNAME environment variable was not set was fixed.

Packaging changes

• sssd-ipa doesn't require sssd-idp anymore

Configuration changes

• New option implicit_pac_responder to control if the PAC responder is started for the IPA and AD providers, default is true.
• New option krb5_check_pac to control the PAC validation behavior.
• multiple crl_file arguments can be used in the certificate_verification option.

See full release notes here.

sssd-2.7.0

SSSD 2.7.0 Release Notes

Highlights

New features

• Added a new krb5 plugin idp and a new binary oidc_child which performs OAuth2 authentication against FreeIPA. This, however, can not be tested yet because this feature is still under development on the FreeIPA server side. Nevertheless, we have decided to include this in the release in order to enable the functionality on the clients immediately when the FreeIPA project delivers this feature without the need to update the clients.

General information

• Better default for IPA/AD re_expression. Tunning for group names containing '@' is no longer needed.
• A warning is added in the logs if an LDAP operation needs more than 80% of the configured timeout.
• A new debug level is added to show statistical and performance data. Currently the duration of a backend request and of single LDAP operations are recorded if debug_level is set to 9 or the bit 0x20000 is set.
• Added support for anonymous PKINIT to get FAST credentials
• We have many warnings and errors from static analyzers

Important fixes

• SSSD now correctly falls back to UPN search if the user was not found even with cache_first = true.

Packaging changes

• Added new configure option --with-oidc-child and --without-oidc-child to control build of oidc_child (enabled by default).
• Added new package sssd-idp that contains the oidc_child and krb5 idp plugin, this package is required by sssd-ipa.

See full release notes here.

sssd-2.6.3

SSSD 2.6.3 Release Notes

Highlights

Important fixes

• A regression introduced in sssd-2.6.2 in the IPA provider that prevented users from login was fixed. Access control always denied access because the selinux_child returned an unexpected reply.
• A critical regression that prevented authentication of users via AD and IPA providers was fixed. LDAP port was reused for Kerberos communication and this provider would send incomprehensible information to this port.
• When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup.

See full release notes here.

sssd-2.6.2

SSSD 2.6.2 Release Notes

Highlights

Important fixes

• Quick log out and log in did not correctly refresh user's initgroups in no_session PAM schema due to lingering systemd processes.

See full release notes here.

sssd-2.6.1

SSSD 2.6.1 Release Notes

Highlights

New features

• New infopipe method FindByValidCertificate() which accepts the certificate as input, validates it against configured CAs, and outputs the user path on success. This is similar to the existing FindByCertificate(), but that does not do any trust validation.

Packaging changes

• subid ranges support was enabled by default.

Configuration changes

• Default value of ssh_hash_known_hosts setting was changed to false for the sake of consistency with OpenSSH that does not hash host names by default.

See full release notes here.