Skip to content

sssd-2.9.0

Compare
Choose a tag to compare
@pbrezina pbrezina released this 05 May 10:04
· 866 commits to master since this release
2.9.0

SSSD 2.9.0 Release Notes

Highlights

General information

  • sss_simpleifp library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-libsifp ./configure option.
  • "Files provider" (i.e. id_provider = files) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-files-provider ./configure option. Or consider using "Proxy provider" with proxy_lib_name = files instead.
  • Previously deprecated --enable-files-domain configure option, which was used to manage default value of the enable_files_domain config option, is now removed.
  • Long time unused '--enable-all-experimental-features' configure option was removed.
  • SSSD will no longer warn about changed defaults when using ldap_schema = rfc2307 and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values.

New features

  • New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11.
  • Add support for ldapi:// URLs to allow connections to local LDAP servers
  • NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname

Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions.

Packaging changes for passkey

  • Include passkey subpackage and dependency for libfido2.

Configuration changes for passkey

  • New options to enable and tune passkey behavior: pam_passkey_auth, ldap_user_passkey, passkey_verification, passkey_child_timeout, interactive, interactive_prompt, touch and touch_prompt.
  • --with-passkey is a new configuration option to enable building passkey authentication.

Important fixes

  • A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.

Configuration changes

  • Default value of cache_first option was changed to true in case SSSD is built without files provider.
  • ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information.

See full release notes here.