Skip to content

Releases: SSSD/sssd

sssd-2.9.0

05 May 10:04
2.9.0
Compare
Choose a tag to compare

SSSD 2.9.0 Release Notes

Highlights

General information

  • sss_simpleifp library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-libsifp ./configure option.
  • "Files provider" (i.e. id_provider = files) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-files-provider ./configure option. Or consider using "Proxy provider" with proxy_lib_name = files instead.
  • Previously deprecated --enable-files-domain configure option, which was used to manage default value of the enable_files_domain config option, is now removed.
  • Long time unused '--enable-all-experimental-features' configure option was removed.
  • SSSD will no longer warn about changed defaults when using ldap_schema = rfc2307 and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values.

New features

  • New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11.
  • Add support for ldapi:// URLs to allow connections to local LDAP servers
  • NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname

Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions.

Packaging changes for passkey

  • Include passkey subpackage and dependency for libfido2.

Configuration changes for passkey

  • New options to enable and tune passkey behavior: pam_passkey_auth, ldap_user_passkey, passkey_verification, passkey_child_timeout, interactive, interactive_prompt, touch and touch_prompt.
  • --with-passkey is a new configuration option to enable building passkey authentication.

Important fixes

  • A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.

Configuration changes

  • Default value of cache_first option was changed to true in case SSSD is built without files provider.
  • ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information.

See full release notes here.

sssd-2.8.2

09 Dec 13:07
2.8.2
Compare
Choose a tag to compare

SSSD 2.8.2 Release Notes

Highlights

General information

  • SSSD can be configured not to perform a DNS search during DNS name resolution. This behavior is governed by the new dns_resolver_use_search_list. This parameter can be used in the domain section. Default value is true - that means that SSSD follows the system settings.
  • --enable-files-domain configure option is deprecated and will be removed in one of the next versions of SSSD.
  • sssctl analyze tool doesn't require anymore to be run under root.

New features

  • New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap.

See full release notes here.

sssd-2.8.1

04 Nov 11:18
2.8.1
Compare
Choose a tag to compare

SSSD 2.8.1 Release Notes

Highlights

Important fixes

  • A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.

See full release notes here.

sssd-2.8.0

07 Oct 11:27
2.8.0
Compare
Choose a tag to compare

SSSD 2.8.0 Release Notes

Highlights

General information

  • The new D-Bus function ListByAttr() allows the caller to look for users that have an attribute with a certain value. For performance reasons, it is recommended that the attribute is indexed both on the remote server and on the local cache. The sssctl tool now provides the cache-index command to help you manage indexes on the local cache.

New features

  • Introduced the dbus function org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit) listing upto limit users matching the filter attr=value.
  • sssctl is now able to create, list and delete indexes on the local caches. Indexes are useful for the new D-Bus ListByAttr() function.
  • sssctl is now able to read and set each component's debug level independently.

Important fixes

  • domains option in [sssd] section can now be completely omitted if domains are enabled via domains/enabled option

Configuration changes

  • New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default.
  • New option 'ldap_enumeration_refresh_offset' to set the maximum period deviation between enumeration updates. Defaults to 30 seconds.
  • New option 'subdomain_refresh_interval_offset' to set the maximum period deviation when refreshing the subdomain list.
  • New option 'dyndns_refresh_interval_offset' to set the maximum period deviation when updating the client's DNS entry. Defaults to 0.
  • New option 'refresh_expired_interval_offset' to set the maximum period deviation when refreshing expired entries in background.
  • New option 'ldap_purge_cache_offset' to set the maximum time deviation between cache cleanups. Defaults to 0.
  • Option 'ad_machine_account_password_renewal_opts' now accepts an optional third part as the maximum deviation in the provided period (first part) and initial delay (second part). If the period and initial delay are provided but not the offset, the offset is assumed to be 0. If no part is provided, the default is 86400:750:300.
  • override_homedir now recognizes the %h template which is replaced by the original home directory retrieved from the identity provider, but in lower case.

See full release notes here.

sssd-2.7.4

26 Aug 20:53
2.7.4
Compare
Choose a tag to compare

SSSD 2.7.4 Release Notes

Highlights

General information

  • Lock-free client support will be only built if libc provides pthread_key_create() and pthread_once(). For glibc this means version 2.34+

See full release notes here.

sssd-2.7.3

04 Jul 11:08
2.7.3
Compare
Choose a tag to compare

SSSD 2.7.3 Release Notes

Highlights

General information

  • All SSSD client libraries (nss, pam, etc) won't serialize requests anymore by default, i.e. requests from multiple threads can be executed in parallel. Old behavior (serialization) can be enabled by setting environment variable "SSS_LOCKFREE" to "NO".

See full release notes here.

sssd-2.7.2

13 Jun 14:25
2.7.2
Compare
Choose a tag to compare

SSSD 2.7.2 Release Notes

Highlights

Important fixes

  • A serious regression introduced in sssd-2.7.1 that prevented successful authentication of IPA users was fixed.

Configuration changes

  • Default value of pac_check changed to check_upn, check_upn_dns_info_ex (for AD and IPA provider).

See full release notes here.

sssd-2.7.1

02 Jun 11:32
2.7.1
Compare
Choose a tag to compare

SSSD 2.7.1 Release Notes

Highlights

General information

  • SSSD can now handle multi-valued RDNs if a unique name must be determined with the help of the RDN.

Important fixes

  • A regression in pam_sss_gss module causing a failure if KRB5CCNAME environment variable was not set was fixed.

Packaging changes

  • sssd-ipa doesn't require sssd-idp anymore

Configuration changes

  • New option implicit_pac_responder to control if the PAC responder is started for the IPA and AD providers, default is true.
  • New option krb5_check_pac to control the PAC validation behavior.
  • multiple crl_file arguments can be used in the certificate_verification option.

See full release notes here.

sssd-2.7.0

14 Apr 18:03
2.7.0
Compare
Choose a tag to compare

SSSD 2.7.0 Release Notes

Highlights

New features

  • Added a new krb5 plugin idp and a new binary oidc_child which performs OAuth2 authentication against FreeIPA. This, however, can not be tested yet because this feature is still under development on the FreeIPA server side. Nevertheless, we have decided to include this in the release in order to enable the functionality on the clients immediately when the FreeIPA project delivers this feature without the need to update the clients.

General information

  • Better default for IPA/AD re_expression. Tunning for group names containing '@' is no longer needed.
  • A warning is added in the logs if an LDAP operation needs more than 80% of the configured timeout.
  • A new debug level is added to show statistical and performance data. Currently the duration of a backend request and of single LDAP operations are recorded if debug_level is set to 9 or the bit 0x20000 is set.
  • Added support for anonymous PKINIT to get FAST credentials
  • We have many warnings and errors from static analyzers

Important fixes

  • SSSD now correctly falls back to UPN search if the user was not found even with cache_first = true.

Packaging changes

  • Added new configure option --with-oidc-child and --without-oidc-child to control build of oidc_child (enabled by default).
  • Added new package sssd-idp that contains the oidc_child and krb5 idp plugin, this package is required by sssd-ipa.

See full release notes here.

sssd-2.6.3

25 Jan 11:17
2.6.3
Compare
Choose a tag to compare

SSSD 2.6.3 Release Notes

Highlights

Important fixes

  • A regression introduced in sssd-2.6.2 in the IPA provider that prevented users from login was fixed. Access control always denied access because the selinux_child returned an unexpected reply.
  • A critical regression that prevented authentication of users via AD and IPA providers was fixed. LDAP port was reused for Kerberos communication and this provider would send incomprehensible information to this port.
  • When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup.

See full release notes here.