sssd-2.9.0
SSSD 2.9.0 Release Notes
Highlights
General information
sss_simpleifp
library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using--with-libsifp
./configure
option.- "Files provider" (i.e.
id_provider = files
) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using--with-files-provider
./configure
option. Or consider using "Proxy provider" withproxy_lib_name = files
instead. - Previously deprecated
--enable-files-domain
configure option, which was used to manage default value of theenable_files_domain
config option, is now removed. - Long time unused '--enable-all-experimental-features' configure option was removed.
- SSSD will no longer warn about changed defaults when using
ldap_schema = rfc2307
and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values.
New features
- New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11.
- Add support for ldapi:// URLs to allow connections to local LDAP servers
- NSS IDMAP has two new methods:
getsidbyusername
andgetsidbygroupname
Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions.
Packaging changes for passkey
- Include passkey subpackage and dependency for libfido2.
Configuration changes for passkey
- New options to enable and tune passkey behavior:
pam_passkey_auth
,ldap_user_passkey
,passkey_verification
,passkey_child_timeout
,interactive
,interactive_prompt
,touch
andtouch_prompt
. --with-passkey
is a new configuration option to enable building passkey authentication.
Important fixes
- A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.
Configuration changes
- Default value of
cache_first
option was changed totrue
in case SSSD is built withoutfiles provider
. - ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information.