- Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
- Vast performance improvements when enumerate = true
- All PAM actions will now perform a forced initgroups lookup instead of just
- a user information lookup
- This guarantees that all group information is available to other
- providers, such as the simple provider.
- For backwards-compatibility, DNS lookups will also fall back to trying the
- SSSD domain name as a DNS discovery domain.
- Support for more password expiration policies in LDAP
- 389 Directory Server
- FreeIPA
- ActiveDirectory
- Support for ldap_tls_{cert,key,cipher_suite} config options
-Assorted bugfixes
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
- Add support for netgroups to the proxy provider
- Fixes a minor bug with UIDs/GIDs >= 2^31
- Fixes a segfault in the kerberos provider
- Fixes a segfault in the NSS responder if a data provider crashes
- Correctly use sdap_netgroup_search_base
- Added support for netgroups to the LDAP provider
- Performance improvements made to group processing of RFC2307 LDAP servers
- Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin
- Build-system improvements to support Gentoo
- Split out several libraries into the ding-libs tarball
- Manpage reviewed and updated
- Resolves: rhbz#595529 - spec file should eschew %define in favor of
- %global
- Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd
service
- to fail while restart.
- Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel
- keyring
- Resolves: rhbz#599724 - sssd is broken on Rawhide
attribute
- Reduced default timeout for detecting offline status with LDAP
- GSSAPI ticket lifetime made configurable
- Better offline->online transition support in Kerberos
- Fixed the IPA provider (which was segfaulting at start)
- Fixed a bug in the SSSDConfig API causing some options to revert to
- their defaults
- This impacted the Authconfig UI
- Ensure that SASL binds to LDAP auto-retry when interrupted by a signal
- Fixes double-free segfault in PAM
- Fixes double-free error in async resolver
- Fixes support for TCP-based DNS lookups in async resolver
- Fixes memory alignment issues on ARM processors
- Manpage fixes
One serious security issue was resolved related to the kerberos provider.
Users who authenticate against Kerberos and have cached credentials could
log in with a zero-length password
The network exposure of this bug was limited, as users logged in this way
would not have valid network credentials (by lucky accident).
This issue was present only in the 0.99.x preview releases and not in any
of the stable releases (0.7.1 and earlier)
Stability fixes since the 0.99.1 preview release
Added or updated several translations
Fixed long-standing "I have no name!" issue with X-based terminals
SSSD now passes "make distcheck" cleanly
SSSD PAM now conforms better to standards regarding PAM_PRELIM_CHECK
== Detailed Changelog == Göran Uddeborg (2):
Update SV translation
Update SV translation
Marina Latini (1):
Update IT translation
Martin Nagy (2):
Don't consider one address with different port numbers as the same
Change the first server pick logic
Sergei V. Kovylov (1):
sssd.spec for SLES
Simo Sorce (2):
Fix upgrade bug #323
Fix ldap child memory hierarchy and other issues
Stephen Gallagher (14):
Properly close STDERR when daemonizing
Fix tight loop in monitor
Don't set explicit default for "timeout" in domains
Fix warning in server.c
Raise DEBUG level of sdap_get_generic_done()
Change default for enumeration to TRUE
Fix tight-loop in monitor part 2
Properly handle EINTR from poll()
Updating ES translation
Add DEBUG messages to getpwnam_callback and getpwuid_callback
Clarify access_provider manpage entry
Do not blindly accept zero-length passwords
Fix broken password changes for local users
Release SSSD 1.0
Sumit Bose (9):
Use sys.exit instead of exit
Check for minimal version of check
Build python modules in builddir
Use --with-ldb-lib-dir while running make distcheck
Cleanup db files after test run
disable password migration code
Handle chauthtok with PAM_PRELIM_CHECK separately
Do not overwrite valid TGTs when offline
Fix for #345
Copy-edit sssd-ipa man page
Dmitri Pal (5):
COMMON Improvements to the trace macro
COLLECTION Create reference to the top level collection
Cleaning FIXME comments
Cleaning FIXME comments.
INI Correcting build warnings.
Fabian Affolter (1):
Add German translation
Göran Uddeborg (2):
Add Swedish translation for sss_client
Add Swedish translation for SSSD server
Jakub Hrozek (13):
Warn visibly about permission problems with the config file
Better error message when there is no local domain configured
Setup ldap child logging from IPA backend
Check the services started against a list of known services
Handle spaces in config parser
Fail on nonexistent input file
Do not start with provider=files
Reduce code duplication between LDAP child and Kerberos child
Change ares usage to be c-ares 1.7.0 compatible
Import ares 1.7.0 helpers
Don't build the SRV and TXT parsing code except for tests
Document the failover feature in manpages
Consolidate code for splitting strings by separator
Martin Nagy (3):
Fix egg-info file generation in the spec file
Add some debugging statements to fail_over and resolver
Correctly restart server status after the timeout
Simo Sorce (17):
Fix tabs
Fix memberof plugin
Compute and save memberuid in cache as well
Use memberuid and not member in group enumerations
Use the custom password field in groups too.
Resolve nested groups also when rfc2307bis is used
Make strdn build functions more available
Fix nested group memberships
Allow nesting to fix#310
Fix bug #311, properly set callback attribute
Change dhash API to be talloc-friendly
Add private pointer for delete callback
Add comments to document latest changes
Add rebuild task to memberof plugin
Handle the special 02 upgrade case for 04->05
Fix for #316
Fix for #322, update from old database versions.
Stephen Gallagher (28):
Remove ELAPI from build and tarball
Stop configuring ELAPI
Make debug log timestamps human-readable
Raise debug log level for LDB_DEBUG_WARNING
Add allocation error check
Avoid returning uninitialized result.
Fix potential uninitialized value errors in nsssrv_cmd.c
Fix potential uninitialized value error in responder_dp.c
SSSDDomain.remove_provider() requires only the provider type
Make SSSDDomain.remove_provider() remove configured options
Run dhash tests
Add SSSDDomain.set_name() function to SSSDConfig API
Reduce the verbosity of the SSSDConfigTest
Fix broken SSSDChangeConf.set() function
Fix SSSDConfig API bugs around [de-]activation of domains
Fix RPM spec for RHEL6
fix deactivate_domain()
SSSDConfig.get_domain() should properly detect active state
Ensure that list_active_domains returns the real value
Properly deny id_provider=files
Add missing options to sssd-ipa configuraion
Add missing SSSDConfig file for IPA for make install
Fix processing of Boolean values in SSSDConfig
Add 'permit' and 'deny' access providers to SSSDConfig API
Remove default for ldap_use_start_tls in IPA providers
Run SSSDConfig tests during 'make check'
Fix stupid copy-paste error
Updating to version 0.99.1
Sumit Bose (13):
Do not include libsss_ipa.la in rpm package
Immediately return a krb5 change password request when offline
Check LDAP structure before calling ldap_unbind_ext()
Add sysdb_search_custom request
Do not treat missing proc files as errors.
Add basic OS detection
Make packaging of *.egg-info files more flexible
Try to renew Kerberos credentials
Add checks to test the memberuid handling
Add offline support for ipa_access
Add dummy credentials to an empty ccache file
Always update sysdb to the latest version
Fix DEBUG message for sysdb_init
beckerde (1):
Add Spanish translation
ruigo (1):
Add Portuguese translation
