Releases: SSSD/sssd
Releases · SSSD/sssd
sssd-2.9.0
SSSD 2.9.0 Release Notes
Highlights
General information
sss_simpleifp
library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using--with-libsifp
./configure
option.- "Files provider" (i.e.
id_provider = files
) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using--with-files-provider
./configure
option. Or consider using "Proxy provider" withproxy_lib_name = files
instead. - Previously deprecated
--enable-files-domain
configure option, which was used to manage default value of theenable_files_domain
config option, is now removed. - Long time unused '--enable-all-experimental-features' configure option was removed.
- SSSD will no longer warn about changed defaults when using
ldap_schema = rfc2307
and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values.
New features
- New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11.
- Add support for ldapi:// URLs to allow connections to local LDAP servers
- NSS IDMAP has two new methods:
getsidbyusername
andgetsidbygroupname
Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions.
Packaging changes for passkey
- Include passkey subpackage and dependency for libfido2.
Configuration changes for passkey
- New options to enable and tune passkey behavior:
pam_passkey_auth
,ldap_user_passkey
,passkey_verification
,passkey_child_timeout
,interactive
,interactive_prompt
,touch
andtouch_prompt
. --with-passkey
is a new configuration option to enable building passkey authentication.
Important fixes
- A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.
Configuration changes
- Default value of
cache_first
option was changed totrue
in case SSSD is built withoutfiles provider
. - ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information.
sssd-2.8.2
SSSD 2.8.2 Release Notes
Highlights
General information
- SSSD can be configured not to perform a DNS search during DNS name resolution. This behavior is governed by the new dns_resolver_use_search_list. This parameter can be used in the domain section. Default value is true - that means that SSSD follows the system settings.
--enable-files-domain
configure option is deprecated and will be removed in one of the next versions of SSSD.sssctl analyze
tool doesn't require anymore to be run under root.
New features
- New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap.
sssd-2.8.1
SSSD 2.8.1 Release Notes
Highlights
Important fixes
- A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.
sssd-2.8.0
SSSD 2.8.0 Release Notes
Highlights
General information
- The new D-Bus function ListByAttr() allows the caller to look for users that have an attribute with a certain value. For performance reasons, it is recommended that the attribute is indexed both on the remote server and on the local cache. The sssctl tool now provides the cache-index command to help you manage indexes on the local cache.
New features
- Introduced the dbus function org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit) listing upto limit users matching the filter attr=value.
- sssctl is now able to create, list and delete indexes on the local caches. Indexes are useful for the new D-Bus ListByAttr() function.
- sssctl is now able to read and set each component's debug level independently.
Important fixes
domains
option in[sssd]
section can now be completely omitted if domains are enabled viadomains/enabled
option
Configuration changes
- New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD processes. Enabled by default.
- New option 'ldap_enumeration_refresh_offset' to set the maximum period deviation between enumeration updates. Defaults to 30 seconds.
- New option 'subdomain_refresh_interval_offset' to set the maximum period deviation when refreshing the subdomain list.
- New option 'dyndns_refresh_interval_offset' to set the maximum period deviation when updating the client's DNS entry. Defaults to 0.
- New option 'refresh_expired_interval_offset' to set the maximum period deviation when refreshing expired entries in background.
- New option 'ldap_purge_cache_offset' to set the maximum time deviation between cache cleanups. Defaults to 0.
- Option 'ad_machine_account_password_renewal_opts' now accepts an optional third part as the maximum deviation in the provided period (first part) and initial delay (second part). If the period and initial delay are provided but not the offset, the offset is assumed to be 0. If no part is provided, the default is 86400:750:300.
- override_homedir now recognizes the %h template which is replaced by the original home directory retrieved from the identity provider, but in lower case.
sssd-2.7.4
SSSD 2.7.4 Release Notes
Highlights
General information
- Lock-free client support will be only built if libc provides
pthread_key_create()
andpthread_once()
. For glibc this means version 2.34+
sssd-2.7.3
SSSD 2.7.3 Release Notes
Highlights
General information
- All SSSD client libraries (nss, pam, etc) won't serialize requests anymore by default, i.e. requests from multiple threads can be executed in parallel. Old behavior (serialization) can be enabled by setting environment variable "SSS_LOCKFREE" to "NO".
sssd-2.7.2
SSSD 2.7.2 Release Notes
Highlights
Important fixes
- A serious regression introduced in
sssd-2.7.1
that prevented successful authentication of IPA users was fixed.
Configuration changes
- Default value of
pac_check
changed tocheck_upn, check_upn_dns_info_ex
(for AD and IPA provider).
sssd-2.7.1
SSSD 2.7.1 Release Notes
Highlights
General information
- SSSD can now handle multi-valued RDNs if a unique name must be determined with the help of the RDN.
Important fixes
- A regression in
pam_sss_gss
module causing a failure ifKRB5CCNAME
environment variable was not set was fixed.
Packaging changes
sssd-ipa
doesn't requiresssd-idp
anymore
Configuration changes
- New option
implicit_pac_responder
to control if the PAC responder is started for the IPA and AD providers, default istrue
. - New option
krb5_check_pac
to control the PAC validation behavior. - multiple
crl_file
arguments can be used in thecertificate_verification
option.
sssd-2.7.0
SSSD 2.7.0 Release Notes
Highlights
New features
- Added a new krb5 plugin
idp
and a new binaryoidc_child
which performs OAuth2 authentication against FreeIPA. This, however, can not be tested yet because this feature is still under development on the FreeIPA server side. Nevertheless, we have decided to include this in the release in order to enable the functionality on the clients immediately when the FreeIPA project delivers this feature without the need to update the clients.
General information
- Better default for IPA/AD re_expression. Tunning for group names containing '@' is no longer needed.
- A warning is added in the logs if an LDAP operation needs more than 80% of the configured timeout.
- A new debug level is added to show statistical and performance data. Currently the duration of a backend request and of single LDAP operations are recorded if debug_level is set to 9 or the bit 0x20000 is set.
- Added support for anonymous PKINIT to get FAST credentials
- We have many warnings and errors from static analyzers
Important fixes
- SSSD now correctly falls back to UPN search if the user was not found even with
cache_first = true
.
Packaging changes
- Added new configure option
--with-oidc-child
and--without-oidc-child
to control build ofoidc_child
(enabled by default). - Added new package
sssd-idp
that contains theoidc_child
and krb5idp
plugin, this package is required bysssd-ipa
.
sssd-2.6.3
SSSD 2.6.3 Release Notes
Highlights
Important fixes
- A regression introduced in sssd-2.6.2 in the IPA provider that prevented users from login was fixed. Access control always denied access because the selinux_child returned an unexpected reply.
- A critical regression that prevented authentication of users via AD and IPA providers was fixed. LDAP port was reused for Kerberos communication and this provider would send incomprehensible information to this port.
- When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup.