SSSD 1.13.1
Highlights
- Initial support for Smart Card authentication was added. The feature can be activated with the new
pam_cert_auth
option
- The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
- A new command line tool
sss_override
is present in this release. The tools allows to override attributes on the SSSD side. It's helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides
- New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
- Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
- This release supports authenticating againt a KDC proxy
- The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
- Several fixes to the GPO access control code are present
Packaging Changes
- The Smart Card authentication feature requires a helper process
p11_child
that needs to be marked as setgid if SSSD needs to be able to. Please note the p11_child
requires the NSS crypto library at the moment
- The
sss_override
tool was added along with its own manpage
- The upstream RPM can now build on RHEL/CentOS 6.7
Documentation Changes
- The
config_file_version
configuration option now defaults to 2. As an effect, this option doesn't have to be set anymore unless the config file format is changed again by SSSD upstream
- It is now possible to specify a comma-separated list of interfaces in the
dyndns_iface
option
- The InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup
that specifies an upper limit on the number of entries that can be returned with a wildcard lookup
- A new option
dyndns_server
was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers.
- The PAM responder gained a new option
ca_db
that allows the storage of trusted CA certificates to be specified
- The time the
p11_child
is allowed to operate can be specified using a new option p11_child_timeout
See full release notes here.