| |
@@ -0,0 +1,463 @@
|
| |
+ SSSD 1.13.0
|
| |
+ ===========
|
| |
+
|
| |
+ Highlights
|
| |
+ ----------
|
| |
+
|
| |
+ - Support for separate prompts when using two-factor authentication was
|
| |
+ added
|
| |
+ - Added support for one-way trusts between an IPA and Active Directory
|
| |
+ environment. Please note that this SSSD functionality depends on IPA
|
| |
+ code that will be released in the IPA 4.2 version
|
| |
+ - The fast memory cache now also supports the initgroups operation.
|
| |
+ - The PAM responder is now capable of caching authentication for
|
| |
+ configurable period, which might reduce server load in cases where
|
| |
+ accounts authenticate very frequently. Please refer to the
|
| |
+ ``cached_auth_timeout`` option in the ``sssd.conf`` manual page.
|
| |
+ - The Active Directory provider has changed the default value of the
|
| |
+ ``ad_gpo_access_control`` option from ``permissive`` to
|
| |
+ ``enforcing``. As a consequence, the GPO access control now affects
|
| |
+ all clients that set ``access_provider`` to ``ad``. In order to
|
| |
+ restore the previous behaviour, set ``ad_gpo_access_control`` to
|
| |
+ ``permissive`` or use a different ``access_provider`` type.
|
| |
+ - Group Policy objects defined in a different AD domain that the
|
| |
+ computer object is defined in are now supported.
|
| |
+ - Credential caching and Offline authentication are also available when
|
| |
+ using two-factor authentication
|
| |
+ - Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
|
| |
+ and groups are now exposed as first-class objects. The users and
|
| |
+ groups can also be marked as cached and would subsequently show up in
|
| |
+ the Introspection output
|
| |
+ - The DBus interface is now also able to look up User objects by
|
| |
+ certificate. This is a first part of work that will eventually allow
|
| |
+ smart-card authentication in SSSD.
|
| |
+ - The LDAP cleanup task is now disabled by default, unless enumeration
|
| |
+ is enabled. Please refer to the ``ldap_purge_cache_timeout`` option
|
| |
+ in case your environment requires the cleanup task
|
| |
+ - The Python bindings are now built for both Python2 and Python3
|
| |
+ - The LDAP bind timeout, StartTLS timeout and password change timeout
|
| |
+ are now configurable using the ``ldap_opt_timeout`` option
|
| |
+
|
| |
+ Packaging Changes
|
| |
+ -----------------
|
| |
+
|
| |
+ - A new directory ``/var/lib/sss/keytabs`` is present and owned by the
|
| |
+ ``sssd-ipa`` subpackage. The SSSD stores keytabs for one-way trust
|
| |
+ relationships in this directory. Downstreams should make sure that
|
| |
+ the directory is only readable to the user who runs the SSSD service.
|
| |
+ - Several packaging changes are present in this release to support the
|
| |
+ Python3 bindings, notably new ``python-sss`` and
|
| |
+ ``python-sss-murmur`` subpackages are introduced in upstream RPM
|
| |
+ packaging
|
| |
+ - All python bindings now have a Python3 and a Python2 version in the
|
| |
+ upstream RPM packaging scheme
|
| |
+ - The OpenSSL development library such as ``openssl-devel`` on
|
| |
+ RHEL/Fedora or
|
| |
+ `Debian/Ubuntu? <https://docs.pagure.org/sssd-test2/Debian/Ubuntu.html>`__
|
| |
+ ``libssl-dev`` is now required to support certificate operations
|
| |
+ - A new internal library ``libsss_cert.so`` is present in this release.
|
| |
+ - The fast initgroups memcache is represented by a new file
|
| |
+ ``/var/lib/sss/mc/initgroups``
|
| |
+
|
| |
+ Documentation Changes
|
| |
+ ---------------------
|
| |
+
|
| |
+ - The ``ad_gpo_access_control`` option default has changed from
|
| |
+ ``permissive`` to ``enforcing``
|
| |
+ - The default value of ``ldap_purge_cache_timeout`` changed to 0, thus
|
| |
+ effectivelly disabling the cleanup task.
|
| |
+ - A new option ``cache_credentials_minimal_first_factor_length`` was
|
| |
+ added. This option sets constraints on the password length if
|
| |
+ One-Time passwords are used and credentials are to be cached. Please
|
| |
+ see the ``sssd.conf(5)`` man page for more details
|
| |
+ - The cached authentication is controlled by new option
|
| |
+ ``cached_auth_timeout``. By default the cached authentication is
|
| |
+ disabled.
|
| |
+
|
| |
+ Tickets Fixed
|
| |
+ -------------
|
| |
+
|
| |
+ .. raw:: html
|
| |
+
|
| |
+ <div>
|
| |
+
|
| |
+ `#897 </sssd/ticket/897>`__
|
| |
+ sssd should pass -d to nsupdate when running with high log level
|
| |
+ `#1501 </sssd/ticket/1501>`__
|
| |
+ Make the LDAP bind operation timeout configurable
|
| |
+ `#2150 </sssd/ticket/2150>`__
|
| |
+ [RFE] Expose listing calls over D-BUS
|
| |
+ `#2224 </sssd/ticket/2224>`__
|
| |
+ nsupdate stderr is not captured
|
| |
+ `#2236 </sssd/ticket/2236>`__
|
| |
+ The cleanup task has no DEBUG statements
|
| |
+ `#2326 </sssd/ticket/2326>`__
|
| |
+ SBUS: Flush the UID cache when we receive NameOwnerChanged
|
| |
+ `#2338 </sssd/ticket/2338>`__
|
| |
+ [RFE] Implement object caching on the bus
|
| |
+ `#2339 </sssd/ticket/2339>`__
|
| |
+ IFP: support multiple interfaces for object
|
| |
+ `#2540 </sssd/ticket/2540>`__
|
| |
+ SSSD does not update Dynamic DNS records if the IPA domain differs
|
| |
+ from machine hostname's domain
|
| |
+ `#2569 </sssd/ticket/2569>`__
|
| |
+ In ipa-ad trust, with 'default\_domain\_suffix' set to AD domain,
|
| |
+ IPA user are not able to log unless use\_fully\_qualified\_names is
|
| |
+ set
|
| |
+ `#2574 </sssd/ticket/2574>`__
|
| |
+ SSSD should be able to build python2 and python3 bindings in a one
|
| |
+ build
|
| |
+ `#2583 </sssd/ticket/2583>`__
|
| |
+ [RFE] Homedir is always overwritten with subdomain\_homedir value in
|
| |
+ server mode
|
| |
+ `#2593 </sssd/ticket/2593>`__
|
| |
+ Does sssd-ad use the most suitable attribute for group name?
|
| |
+ `#2596 </sssd/ticket/2596>`__
|
| |
+ Add a way to lookup users based on CAC identity certificates
|
| |
+ `#2603 </sssd/ticket/2603>`__
|
| |
+ Make SSSD's HBAC validation more permissive if deny rules are not
|
| |
+ used
|
| |
+ `#2609 </sssd/ticket/2609>`__
|
| |
+ [bug] sssd always appends default\_domain\_suffix when checking for
|
| |
+ host keys
|
| |
+ `#2618 </sssd/ticket/2618>`__
|
| |
+ Man sssd-ad(5) lists Group Policy Management Editor naming for some
|
| |
+ policies but not for all
|
| |
+ `#2620 </sssd/ticket/2620>`__
|
| |
+ id\_provider=proxy with auth\_provider=ldap does not work reliably
|
| |
+ `#2625 </sssd/ticket/2625>`__
|
| |
+ Sudo responder does not respect filter\_users and filter\_groups
|
| |
+ `#2627 </sssd/ticket/2627>`__
|
| |
+ Disable the cleanup task by default
|
| |
+ `#2636 </sssd/ticket/2636>`__
|
| |
+ RFE: Fetch keytabs for one-way trusts in IPA subdomain code
|
| |
+ `#2638 </sssd/ticket/2638>`__
|
| |
+ RFE: Change ad\_id\_ctx instantiation in the IPA subdomain code to
|
| |
+ support one-way trusts
|
| |
+ `#2645 </sssd/ticket/2645>`__
|
| |
+ [RFE] Support GPOs from different domain controllers
|
| |
+ `#2661 </sssd/ticket/2661>`__
|
| |
+ RFE: Change AD GPO default to enforcing
|
| |
+ `#2666 </sssd/ticket/2666>`__
|
| |
+ sssd with ldap backend throws error domain log
|
| |
+
|
| |
+ .. raw:: html
|
| |
+
|
| |
+ </div>
|
| |
+
|
| |
+ .. raw:: html
|
| |
+
|
| |
+ <div>
|
| |
+
|
| |
+ `#1807 </sssd/ticket/1807>`__
|
| |
+ [RFE] authenticate against cache in SSSD
|
| |
+ `#2017 </sssd/ticket/2017>`__
|
| |
+ [RFE] Python 3 support
|
| |
+ `#2485 </sssd/ticket/2485>`__
|
| |
+ [RFE] The fast memory cache should cache initgroups
|
| |
+ `#2590 </sssd/ticket/2590>`__
|
| |
+ SSSD doesn't re-read resolv.conf if the file doesn't exist during
|
| |
+ boot
|
| |
+ `#2641 </sssd/ticket/2641>`__
|
| |
+ Add a IS\_DEFAULT\_VIEW macro
|
| |
+ `#2701 </sssd/ticket/2701>`__
|
| |
+ Kerberos-based providers other than krb5 do not queue requests
|
| |
+
|
| |
+ .. raw:: html
|
| |
+
|
| |
+ </div>
|
| |
+
|
| |
+ Detailed Changelog
|
| |
+ ------------------
|
| |
+
|
| |
+ Jakub Hrozek (73):
|
| |
+
|
| |
+ - MAN: Fix a typo
|
| |
+ - SYSDB: Reduce code duplication in sysdb\_gpo.c
|
| |
+ - UTIL: Make two child\_common.c functions static
|
| |
+ - TESTS: Cover child\_common.c with unit tests
|
| |
+ - LDAP: Use child\_io\_destructor instead of child\_cleanup in a custom
|
| |
+ desctructor
|
| |
+ - UTIL: Remove child\_cleanup
|
| |
+ - UTIL: Unify the fd\_nonblocking implementation
|
| |
+ - RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
|
| |
+ - PAM: print the pam status as string, too
|
| |
+ - KRB5: More debugging for create\_ccache()
|
| |
+ - SDAP: Make simple bind timeout configurable
|
| |
+ - SDAP: Make password change timeout configurable with
|
| |
+ ldap\_opt\_timeout
|
| |
+ - SDAP: Make StartTLS bind configurable with ldap\_opt\_timeout
|
| |
+ - SDAP: Decorate the sdap\_op functions with DEBUG messages
|
| |
+ - IPA: Remove the ipa\_hbac\_treat\_deny\_as option
|
| |
+ - MAN: Clarify debug\_level a bit
|
| |
+ - SSH: Ignore the default\_domain\_suffix
|
| |
+ - LDAP: Set sdap handle as explicitly connected in LDAP auth
|
| |
+ - tests: Revert strcmp condition
|
| |
+ - ncache: Fix sss\_ncache\_reset\_permanent
|
| |
+ - ncache: Silence critical error from filter\_users when
|
| |
+ default\_domain\_suffix is set
|
| |
+ - ncache: Add sss\_ncache\_reset\_repopulate\_permanent
|
| |
+ - responders: reset ncache after domains are discovered during startup
|
| |
+ - NSS: Reset negcache after checking domains
|
| |
+ - MAN: Clarify how are GPO mappings called in GPO editor
|
| |
+ - UTIL: Add a simple function to get the fd of debug\_file
|
| |
+ - dyndns: Log nsupdate stderr with a high debug level
|
| |
+ - nsupdate: Append -d/-D to nsupdate with a high debug level
|
| |
+ - subdom: Remove unused function get\_flat\_name\_from\_subdomain\_name
|
| |
+ - nss: Use negcache for getbysid requests
|
| |
+ - tests: Add NSS responder tests for bysid requests
|
| |
+ - LDAP: disable the cleanup task by default
|
| |
+ - TESTS: Use the right testcase
|
| |
+ - TESTS: Add test for get\_next\_domain
|
| |
+ - LDAP: Do not print verbose DEBUG messages from providers that don't
|
| |
+ set UUID
|
| |
+ - SYSDB: Store trust direction for subdomains
|
| |
+ - UTIL/SYSDB: Move new\_subdomain() to sysdb\_subdomains.c and make it
|
| |
+ private
|
| |
+ - TESTS: Add a test for sysdb\_subdomains.c
|
| |
+ - SYSDB: Add realm to sysdb\_master\_domain\_add\_info
|
| |
+ - SYSDB: Add a forest root attribute to sss\_domain\_info
|
| |
+ - IPA: Add ipa\_subdomains\_handler\_get\_{start,cont} wrappers
|
| |
+ - IPA: Check master domain record before subdomain records
|
| |
+ - IPA: Fold ipa\_subdom\_enumerates into ipa\_subdom\_store
|
| |
+ - IPA: Also update master domain when initializing subdom handler
|
| |
+ - IPA: Move server-mode functions to a separate module
|
| |
+ - IPA: Split two functions to new module ipa\_subdomains\_utils.c
|
| |
+ - IPA: Include ipaNTTrustDirection in the attribute set for trusted
|
| |
+ domains
|
| |
+ - IPA: Read forest name for trusted forest roots as well
|
| |
+ - IPA: Make constructing an IPA server mode context async
|
| |
+ - TESTS: Split off keytab creation into a common module
|
| |
+ - TESTS: Add a common mock\_be\_ctx function
|
| |
+ - TESTS: Add a common function to set up sdap\_id\_ctx
|
| |
+ - TESTS: Move krb5\_try\_kdcip to nested group test
|
| |
+ - TESTS: Add unit test for the subdomain\_server.c module
|
| |
+ - IPA: Fetch keytab for 1way trusts
|
| |
+ - AD: Rename ad\_set\_ad\_id\_options to ad\_set\_sdap\_options
|
| |
+ - AD: Rename ad\_create\_default\_options to
|
| |
+ ad\_create\_2way\_trust\_options
|
| |
+ - AD: Split off ad\_create\_default\_options
|
| |
+ - IPA/AD: Set up AD domain in ad\_create\_2way\_trust\_options
|
| |
+ - IPA: Do not set AD\_KRB5\_REALM twice
|
| |
+ - AD: Add ad\_create\_1way\_trust\_options
|
| |
+ - IPA: Utility function for setting up one-way trust context
|
| |
+ - LDAP: Do not set keytab through environment variable
|
| |
+ - LDAP: Consolidate SDAP\_SASL\_REALM/SDAP\_KRB5\_REALM behaviour
|
| |
+ - CONFIG: Add SSS\_STATEDIR as VARDIR/lib/sss
|
| |
+ - BUILD: Store keytabs in /var/lib/sss/keytabs
|
| |
+ - Updating the translations for the 1.13 Alpha release
|
| |
+ - Updating the version.m4 file for the 1.13 Beta release
|
| |
+ - tests: Reduce duplication with new function test\_ev\_done
|
| |
+ - KRB5: Add and use krb5\_auth\_queue\_send to queue requests by
|
| |
+ default
|
| |
+ - PAM: Only cache first-factor
|
| |
+ - Updating the translations for the 1.13.0 release
|
| |
+ - Updating the version for the 1.13.0 release
|
| |
+
|
| |
+ John Dickerson (1):
|
| |
+
|
| |
+ - MAN: Amend the description of ignore\_group\_members
|
| |
+
|
| |
+ Lukas Slebodnik (67):
|
| |
+
|
| |
+ - MAN: Remove indentation in element programlistening
|
| |
+ - Fix warning: for loop has empty body
|
| |
+ - Bump version to track 1.13 development
|
| |
+ - SPEC: Use libnl3 for epel6
|
| |
+ - MAKE: Don't include autoconf generated file to tarball
|
| |
+ - TESTS: Mock return value of sdap\_get\_generic\_recv
|
| |
+ - test\_nested\_groups: Additional unit tests
|
| |
+ - Fix warning: equality comparison with extraneous parentheses
|
| |
+ - LDAP: Conditional jump depends on uninitialised value
|
| |
+ - BUILD: Remove unused libraries for pysss.so
|
| |
+ - BUILD: Remove unused variables
|
| |
+ - BUILD: Remove detection of type Py\_ssize\_t
|
| |
+ - UTIL: Remove python wrapper sss\_python\_set\_new
|
| |
+ - UTIL: Remove python wrapper sss\_python\_set\_add
|
| |
+ - UTIL: Remove python wrapper sss\_python\_set\_check
|
| |
+ - UTIL: Remove compatibility macro PyModule\_AddIntMacro
|
| |
+ - UTIL: Remove python wrapper sss\_python\_unicode\_from\_string
|
| |
+ - BUILD: Use python-config for detection \*FLAGS
|
| |
+ - SPEC: Use new convention for python packages
|
| |
+ - SPEC: Move python bindings to separate packages
|
| |
+ - BUILD: Add possibility to build python{2,3} bindings
|
| |
+ - TESTS: Run python tests with all supported python versions
|
| |
+ - SPEC: Replace python\_ macros with python2\_
|
| |
+ - SPEC: Build python3 bindings on available platforms
|
| |
+ - BUILD: Uninstall also symbolic links to python bindings
|
| |
+ - Remove unused argument from be\_nsupdate\_create\_fwd\_msg
|
| |
+ - IPA: Remove unused argument from ipa\_id\_get\_group\_uuids
|
| |
+ - Remove useless assignment to function parameter
|
| |
+ - PAC: Fix memory leak
|
| |
+ - responder\_cache: Fix warning may be used uninitialized
|
| |
+ - debug-tests: Fix test with new line in debug message
|
| |
+ - BUILD: Add missing header file to tarball
|
| |
+ - pam\_client: fix casting to const pointer
|
| |
+ - test\_expire: Use right assertion macro for standard functions
|
| |
+ - test\_ldap\_auth: Use right assertion for integer comparison
|
| |
+ - test\_resolv\_fake: Fix alignment warning
|
| |
+ - PAC: Remove unused function
|
| |
+ - KRB5: Unify prototype and definition
|
| |
+ - util-tests: Initialize boolean variable to default value
|
| |
+ - SPEC: Drop workaround for old libtool
|
| |
+ - SPEC: Drop workarounds for old rpmbuild
|
| |
+ - SPEC: Remove unused option
|
| |
+ - SPEC: Few cosmetic changes
|
| |
+ - simple\_access-tests: Simplify assertion
|
| |
+ - sysdb-tests: Add missing assertions
|
| |
+ - sysdb-tests: test return value before output arguments
|
| |
+ - ad\_opts: Use different default attribute for group name
|
| |
+ - BUILD: Write hints about optional python bindings
|
| |
+ - sss\_client: Fix mixed enums
|
| |
+ - LDAP: Remove dead assignment
|
| |
+ - sss\_client: Fix warning "\_" redefined
|
| |
+ - SSSDConfigTest: Use unique temporary directory
|
| |
+ - util-tests: Add validation of internal error messages
|
| |
+ - SDAP: Check return value before using output arguments
|
| |
+ - SDAP: Log failure from sysdb\_handle\_original\_uuid
|
| |
+ - test\_ipa\_subdomains\_server: Run clean-up after success
|
| |
+ - IFP: Fix warnings with enabled optimisation
|
| |
+ - SDAP: Remove user from cache for missing user in LDAP
|
| |
+ - test\_ipa\_subdom\_server: Add missing assert
|
| |
+ - test\_ipa\_subdomains\_server: Fix build with --coverage
|
| |
+ - nss: Store entries in responder to initgr mmap cache
|
| |
+ - mmap\_cache: Invalidate entry in right memory cache
|
| |
+ - nss: Invalidate entry in initgr mmap cache
|
| |
+ - sss\_client: Use initgr mmap cache in client code
|
| |
+ - sss\_cache: Clear also initgroups fast cache
|
| |
+ - sss\_client: Use unique lock for memory cache
|
| |
+ - sss\_client: Re-check memcache after acquiring the lock
|
| |
+
|
| |
+ Michal Zidek (5):
|
| |
+
|
| |
+ - Use FQDN if default domain was set
|
| |
+ - MAN: default\_domain\_suffix with use\_fully\_qualified\_names.
|
| |
+ - views: Add is\_default\_view helper function
|
| |
+ - MONITOR: Poll for resolv.conf if not available during boot
|
| |
+ - MONITOR: Do not report missing file as fatal in monitor\_config\_file
|
| |
+
|
| |
+ Nikolai Kondrashov (3):
|
| |
+
|
| |
+ - BUILD: Add AM\_PYTHON2\_MODULE macro
|
| |
+ - Add integration tests
|
| |
+ - BUILD: Fix variable substitution in cwrap.m4
|
| |
+
|
| |
+ Pavel BĆezina (53):
|
| |
+
|
| |
+ - tests: refactor create\_dom\_test\_ctx()
|
| |
+ - tests: add create\_multidom\_test\_ctx()
|
| |
+ - tests: add test\_multidom\_suite\_cleanup()
|
| |
+ - tests: remove code duplication in single domain cleanup
|
| |
+ - responders: new interface for cache request
|
| |
+ - responders: enable views in cache request
|
| |
+ - IFP: use new cache interface
|
| |
+ - server-tests: use strtouint32 instead strtol
|
| |
+ - sbus: add new iface via sbus\_conn\_register\_iface()
|
| |
+ - sbus: move iface and object path code to separate file
|
| |
+ - sbus: use 'path/\*' to represent a D-Bus fallback
|
| |
+ - sbus: support multiple interfaces on single path
|
| |
+ - sbus: add object path to sbus request
|
| |
+ - sbus: add sbus\_opath\_hash\_lookup\_supported()
|
| |
+ - sbus: support org.freedesktop.DBus.Introspectable
|
| |
+ - sbus: support org.freedesktop.DBus.Properties
|
| |
+ - sbus: unify naming of handler data variable
|
| |
+ - sbus: move common opath functions from ifp to sbus code
|
| |
+ - sbus: add sbus\_opath\_get\_object\_name()
|
| |
+ - ifp: fix potential memory leak in
|
| |
+ check\_and\_get\_component\_from\_path()
|
| |
+ - sbus: use hard coded getters instead of generated
|
| |
+ - sbus: remove unused 'reply as' functions
|
| |
+ - IFP: move interface definitions from ifpsrv.c into separate file
|
| |
+ - IFP: unify generated interfaces names
|
| |
+ - sbus codegen: do not prefix getters with iface name
|
| |
+ - IFP: simplify object path constant names
|
| |
+ - sbus: add constant to represent subtree
|
| |
+ - be\_refresh: get rid of callback pointers
|
| |
+ - sysdb: use sysdb\_user/group\_dn
|
| |
+ - cache\_req tests: rename test\_user to test\_user\_by\_name
|
| |
+ - cache\_req tests: define user name constant
|
| |
+ - cache\_req: preparations for different input type
|
| |
+ - cache\_req: add support for user by uid
|
| |
+ - cache\_req: add support for group by name
|
| |
+ - cache\_req: remove default branch from switches
|
| |
+ - cache\_req: add support for group by id
|
| |
+ - cmocka: include mock\_parse\_inp in header file
|
| |
+ - cache\_req: parse input name if needed
|
| |
+ - cache\_req: return ERR\_INTERNAL if more than one entry is found
|
| |
+ - sbus: provide custom error names
|
| |
+ - sbus: add sbus\_opath\_decompose[\_exact]
|
| |
+ - sbus: add a{sas} get invoker
|
| |
+ - IFP: add org.freedesktop.sssd.infopipe.Users
|
| |
+ - IFP: add org.freedesktop.sssd.infopipe.Users.User
|
| |
+ - IFP: add org.freedesktop.sssd.infopipe.Groups
|
| |
+ - IFP: add org.freedesktop.sssd.infopipe.Groups.Group
|
| |
+ - IFP: deprecate
|
| |
+ `GetUserAttr? <https://docs.pagure.org/sssd-test2/GetUserAttr.html>`__
|
| |
+ - IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
|
| |
+ - SBUS: Use default
|
| |
+ `GetAll? <https://docs.pagure.org/sssd-test2/GetAll.html>`__ invoker
|
| |
+ if none is set
|
| |
+ - SBUS: Add support for <node /> in introspection
|
| |
+ - IFP: Export nodes
|
| |
+ - sbus: add support for incoming signals
|
| |
+ - sbus: listen to
|
| |
+ `NameOwnerChanged? <https://docs.pagure.org/sssd-test2/NameOwnerChanged.html>`__
|
| |
+
|
| |
+ Pavel Reichl (20):
|
| |
+
|
| |
+ - add missing '\\n' in debug messages
|
| |
+ - PROXY: add missing space in debug message
|
| |
+ - BUILD: fix chmake not to generate warning
|
| |
+ - SDAP: log expired accounts at lower severity level
|
| |
+ - KRB5: add debug hint
|
| |
+ - TESTS: test expiration
|
| |
+ - ldap: refactor check\_pwexpire\_kerberos to use util func
|
| |
+ - ldap: refactor nds\_check\_expired to use util func
|
| |
+ - Fix a few typos in comments
|
| |
+ - sbus: sbus\_opath\_hash\_add\_iface free tmp talloc ctx
|
| |
+ - krb5: remove field run\_as\_user
|
| |
+ - localauth plugin: fix coverity warning
|
| |
+ - dyndns: remove dupl declaration of ipa\_dyndns\_update
|
| |
+ - dyndns: don't pass zone directive to nsupdate
|
| |
+ - dyndns: ipa\_dyndns.h missed declaration of used data
|
| |
+ - krb: remove duplicit decl. of write\_krb5info\_file
|
| |
+ - IPA: Don't override homedir with subdomain\_homedir
|
| |
+ - sysdb: new attribute lastOnlineAuthWithCurrentToken
|
| |
+ - PAM: authenticate agains cache
|
| |
+ - Minor code improvements
|
| |
+
|
| |
+ Stephen Gallagher (5):
|
| |
+
|
| |
+ - LDAP: Support returning referral information
|
| |
+ - AD GPO: Support processing referrals
|
| |
+ - AD GPO: Change default to "enforcing"
|
| |
+ - Add Vagrant configuration for SSSD
|
| |
+ - GPO: Fix incorrect strerror on GPO access denial
|
| |
+
|
| |
+ Sumit Bose (22):
|
| |
+
|
| |
+ - Add leak check and command line option to test\_authtok
|
| |
+ - utils: add sss\_authtok\_[gs]et\_2fa
|
| |
+ - pam: handle 2FA authentication token in the responder
|
| |
+ - Add pre-auth request
|
| |
+ - krb5-child: add preauth and split 2fa token support
|
| |
+ - IPA: create preauth indicator file at startup
|
| |
+ - pam\_sss: add pre-auth and 2fa support
|
| |
+ - Add cache\_credentials\_minimal\_first\_factor\_length config option
|
| |
+ - sysdb: add sysdb\_cache\_password\_ex()
|
| |
+ - krb5: save hash of the first authentication factor to the cache
|
| |
+ - krb5: try delayed online authentication only for single factor auth
|
| |
+ - 2FA offline auth
|
| |
+ - pam\_sss: move message encoding into separate file
|
| |
+ - PAM: add PAM responder unit test
|
| |
+ - adding ldap\_user\_auth\_type where missing
|
| |
+ - LDAP: add ldap\_user\_certificate option
|
| |
+ - certs: add PEM/DER conversion utilities
|
| |
+ - sysdb: add sysdb\_search\_user\_by\_cert() and
|
| |
+ sysdb\_search\_object\_by\_cert()
|
| |
+ - LDAP/IPA: add user lookup by certificate
|
| |
+ - ncache: add calls for certificate based searches
|
| |
+ - utils: add get\_last\_x\_chars()
|
| |
+ - IFP: add
|
| |
+ `FindByCertificate? <https://docs.pagure.org/sssd-test2/FindByCertificate.html>`__
|
| |
+ method for User objects
|
| |
Since RHEL-6 still ships the 1.13.x brach, some RHEL users are occasionally interested in 1.13.x release notes, especially to see what RHEL rebased to. Let's re-add the release notes.