[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-interest] Announcing SSSD 1.6.0



The SSSD team is proud to announce the version 1.6.0 release of the
System Security Services Daemon.

As always, it can be downloaded from https://fedorahosted.org/sssd/


== Highlights ==
 * Add host access control support for LDAP (similar to pam_host_attr)
 * Finer-grained control on principals used with Kerberos (such as for
FAST or validation)
 * Added a new tool {{{sss_cache}}} to allow selective expiring of
cached entries
 * Added support for LDAP DEREF and ASQ controls
  * This will result in a marked speedup when dealing with initgroups
requests of users in many groups
 * Added access control features for Novell Directory Server
 * FreeIPA dynamic DNS update now checks first to see if an update is
needed
  * Previously we would always issue an update upon any 'going online'
event
 * Complete rewrite of the HBAC library
 * New libraries: libipa_hbac and libipa_hbac-python

== Detailed Changelog ==
Gowrishankar Rajaiyan (2):
 * removing password option functionality
 * updating sss_obfuscate man page accordingly

Jakub Hrozek (92):
 * Use realm for basedn instead of IPA domain
 * Reset server status after timeout
 * Prevent segfault in failover code
 * Always expire host name resolution
 * Run callbacks if server IP changes
 * Mention Samba libraries URLs in BUILD.txt
 * Fix LDAP search filter for nested initgroups
 * Add originalDN to fake groups
 * Use fake groups during IPA schema initgroups
 * Return from functions in LDAP provider after marking request as
failed
 * Fix typo in sdap_nested_group_process_step
 * Mark transaction as done when cancelled
 * Only save members for successfully saved groups
 * Do not attempt to resolve nameless servers
 * Don't pass NULL to printf for TLS errors
 * Fix unchecked return values of pam_add_response
 * Remove detection of duplicates from SRV result processing
 * Use safe alignment macros for in-tree SRV record parsing
 * The systemd unit file should not require DBus
 * Provide a configuration option to use systemd unit file
 * Only check systemd unit dir if systemd is selected
 * Set same status for duplicate servers
 * Add user and group search LDAP filter options
 * Case insensitive originalDN test
 * Require openssl-devel is libcrypto backend is selected
 * Warn that some crypto features are implemented in NSS only
 * Disable libcrypto code
 * Do not leak LDAP paging controls
 * Fix order of arguments in select_principal_from_keytab() call
 * Do not leak pcre context
 * Do not leak LDAP URI with high log level
 * Do not leak netgroups hash table
 * Remove unused constants from data_provider.h
 * Use a temporary memory context in expand_ccname_template
 * Set c-ares to retry nameservers
 * Remove append_attrs_to_array
 * Rename label in expand_ccname_template
 * Add a new option to override primary GID number
 * Add a new option to override home directory value
 * Add new options to override shell value
 * sdap_get_generic_ext
 * Generic dereference data structures and utilities
 * Add support for Attribute Scoped Queries
 * OpenLDAP dereference searches
 * Generic dereference search
 * Change sysdb_add_fake_user to add OriginalDN
 * Use fake users during RFC2307bis nested group processing
 * Refactor RFC2307bis nested group processing
 * Use dereference when processing RFC2307bis nested groups
 * Fix bad comparison in sdap_has_deref_support
 * Fix uninitialized pointer read in sdap_x_deref_parse_entry
 * Fix uninitialized scalar variable in sdap_nested_group_check_cache
 * Separate return paths for success and failure in
sdap_nested_group_check_cache
 * Add utility function to return IP address as string
 * Add a utility function to escape IPv6 address for use in URIs
 * Use escaped IP addresses in LDAP provider
 * Escape IPv6 IP addresses in the IPA provider
 * Make parse_args skip extra spaces
 * Unit test for parge_args
 * Add new resolv_hostent data structure and utility functions
 * Resolve hosts by name from files into resolv_hostent
 * Resolve hosts by name from DNS into resolv_hostent
 * Switch resolver to using resolv_hostent and honor TTL
 * Provide TTL structure names for c-ares < 1.7
 * Test NULL server hostname in fail over tests
 * Log nsupdate message
 * ipa_dyndns: Use sockaddr_storage for storing IP addresses
 * Provide python bindings for the HBAC evaluator library
 * Move IP adress escaping from the LDAP namespace
 * Escape IP address in kdcinfo
 * Do not hardcode default resolver timeout
 * Split reading resolver family order into a separate function
 * Allow returning arbitrary address from resolv_hostent as string
 * Check DNS records before updating
 * Remove unused krb5_service structure member
 * Use ares_search instead of ares_query for hostname resolution
 * Fixes for python HBAC bindings
 * Fix python HBAC bindings for python <= 2.4
 * Do not add a NULL host parsed from LDAP URI
 * Only print server address if one is available
 * Rename fo_get_server_name to fo_get_server_str_name
 * fo_get_server_name() getter for a server name
 * Fix indexing of skipped groups
 * Set gidNumber of non-posix groups to 0 even on updates
 * Explicitly ignore groups with gidNumber=0
 * Remove dead code from python HBAC bindings
 * Handle allocation error in python HBAC bindings
 * UTF8 HBAC test
 * Wrong paramater to sysdb_attrs_add_uint32
 * Change the default value of ldap_tls_cacert in IPA provider
 * HBAC rule validation Python bindings
 * Request password control unconditionally during bind

Jan Zeleny (28):
 * Remove unused be_check_online() SBUS call
 * Remove unused sysdb_attrs object
 * Fix one unlikely case of failure in sdap_id_op module
 * Add last usn checking after reconnection
 * Extend and move function for finding principal in keytab
 * Allow new option to specify principal for FAST
 * Don't use negative cache in netgroup lookup
 * Configuration parsing updates
 * Added originalDN to attributes with case-insensitive search
 * Modify principal selection for keytab authentication
 * Fixed lastUSN checking improvements
 * Make sysdb_ctx_list public structure
 * Add a function for searching netgroups with custom filter
 * Cache cleaning tool
 * Some minor fixes and changes in sysdb_ops
 * Man page for sss_cache
 * Added some kerberos functions for building on RHEL5
 * Fixed --debug-to-files for nss and pam services
 * Fixed wrong variable in sdap_initgr_nested_store
 * Possible memory leak fixed
 * Fixed unitialized return value in match_principal
 * Fixed unitialized pointer in select_principal_from_keytab
 * Fixed uninitialized value in sss_cache
 * Fixed copying of pam_data structure
 * Added sysdb_attrs_get_bool() function
 * Non-posix group processing - sysdb changes
 * Non-posix group processing - ldap provider and nss responder
 * Fall back to polling when inotify fails

John Hodrien (1):
 * Add vetoed_shells option

Kaushik Banerjee (1):
 * Changing default to Default for consistency

Matthew Ife (1):
 * Replace system() function with fork and execl call.

Pierre Ossman (1):
 * Add host access control support

Simo Sorce (8):
 * Check that the socket is really ours before attempting to close it.
 * Use neutral name for functions used by both pam and nss
 * sysdb: use header defined macros instead of explicit values
 * memberof: fix calculation of replaced members
 * memberof: free delete operation apyload once done
 * clients: use poll instead of select
 * fix typos
 * sss_client: avoid leaking file descriptors

Stephen Gallagher (96):
 * Update version to 1.5.2dev
 * Sanitize search filters for nested group lookups
 * Bumping version to 1.6.0dev
 * Wrap cleanup task in a sysdb transaction
 * Add additional indexing for sysdb
 * Make the domain argument mandatory in sss_obfuscate
 * Gracefully handle permission errors in sss_obfuscate
 * Make SSSDConfig API configuration readable
 * Only print "no matching service rule" when appropriate
 * Clear up -Wunused-but-set-variable warnings
 * Fix cleanup transaction
 * Fix module registration with newer LDB libraries.
 * Verify LDAP file descriptor validity
 * Minor specfile changes
 * Detect the proper location for memberof.so
 * Fix specfile for RHEL5
 * Do not attempt to use START_TLS on SSL connections
 * Point the IPA provider at the compat tree for netgroups
 * Remove cached user entry if initgroups returns ENOENT
 * Perform initgroups lookups for all domains
 * IPA provider: remove deleted groups during initgroups()
 * Allow krb5_realm to override ipa_domain
 * Add krb5_realm to the basic IPA options
 * Fix uninitialized value error in ipa_get_id_options()
 * Add transifex_client configuration
 * Add new translations from Transifex
 * Update translation sources
 * Require existence of GID number and name in group searches
 * Require existence of username, uid and gid for user enumeration
 * Add support for krb5 access provider to SSSDConfig API
 * Fix incorrect return value check
 * Create sysdb_get_rdn() function
 * Add sysdb_attrs_primary_name()
 * Ignore aliases for users
 * RFC2307: Ignore aliases for groups
 * RFC2307bis: Ignore aliases for groups
 * Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_group
 * Add sysdb_attrs_primary_name_list() routine
 * Don't crash if we get a multivalued name without an origDN
 * Don't crash on error if _name parameter unspecified
 * Check result of talloc_strdup() properly
 * sss_obfuscate: Avoid traceback on ctrl+d
 * sss_obfuscate: abort on ctrl+c
 * Always complete the transaction in sdap_process_group_members_2307
 * RFC2307: Ignore zero-length member names in group lookups
 * Fall back to cn if gecos is not available
 * Never remove gecos from the sysdb cache
 * Do not throw a DP error when failing to delete a nonexistent entity
 * Add debug logging to the negative cache
 * Fix a regression with the negative cache in multi-domain
configurations
 * Fix regression where nonexistent entries were never added to the
negative cache
 * Don't leak memory if sysdb_domain_init() fails
 * Run all appropriate upgrades
 * Reopen the LDB after modifying it
 * Always generate kpasswdinfo file
 * Add value of the last USN to server configuration
 * simple provider: Don't treat primary GID lookup failures as fatal
 * Log the LDAP message type we're processing
 * Enable paging support for LDAP
 * Add ldap_page_size configuration option
 * Add "description" option to SSSDConfig API
 * Regular translation update
 * Fix IPA config bug with SDAP_KRB5_REALM
 * Fix segfault in IPA provider
 * Fix bad password caching when using automatic TGT renewal
 * Fix minor typo in error message
 * Override config file debug_level with command-line
 * Include manpage for sss_cache
 * Create common sss_monitor_init()
 * Allow changing the log level without restart
 * IPA Provider: don't fail if user is not a member of any groups
 * Build SSSD plugins without a version number
 * Build sssd utils as a libtool helper library
 * Import config.h earlier
 * Make "password" the default for ldap_default_authtok_type
 * Add more detail to ldap_uri manpage entry
 * Fix typo in initgroups negative cache check
 * Ensure that SSSD always Requires: the primary-arch sssd-client
 * Do not attempt to close() a file descriptor < 0
 * Add helper function msgs2attrs_array
 * Add HBAC evaluator and tests
 * Add helper functions for looking up HBAC rule components
 * Remove old HBAC implementation
 * Add new HBAC lookup and evaluation routines
 * Add ipa_hbac_refresh option
 * Add ipa_hbac_treat_deny_as option
 * Treat NULL or empty rhost as unknown
 * Allow NULL memctx in sysdb_custom_subtree_dn
 * libipa_hbac: Support case-insensitive comparisons with UTF8
 * Fix memory leak in ipa_hbac_evaluate_rules
 * Fix incorrect NULL check in ipa_hbac_common.c
 * Converge accept_fd_handler and accept_priv_fd_handler
 * Require matched version and release for libipa_hbac
 * Remove incorrect private variable
 * Add rule validator to libipa_hbac
 * Allow LDAP to decide when an expiration warning is warranted

Sumit Bose (38):
 * Fix handling of translated man pages in spec file
 * Remove LDAP_DEPRECATED
 * Make 'make check' look nice again
 * Introduce sysdb_ldb_connect()
 * Check LDB_MODULES_PATH for sysdb
 * Fix for generating lists of translated man pages
 * Remove renewal item if it is not re-added
 * Check ccache file for renewable TGTs at startup
 * Do not try to delete sysbd memberOf attribute
 * Fixes for dynamic DNS update
 * Add missing name to struct getent_ctx for missing netgroup
 * Refactor set_netgroup_entry()
 * Change state of hash entry if netgroup cannot be parsed
 * Release handle if not connected
 * Sanitize DN when searching the original DN in the cache
 * Read only rootDSE data if rootDSE is available
 * Initialise srv_opts even if rootDSE is missing
 * Initialise rootdse to NULL if not available
 * Return pam data to the renewal item if renewal fails
 * Add support for openldap24 package on RHEL 5.7
 * Set _GNU_SOURCE globally
 * Remove unused defines from configure.ac
 * Include string.h in sss_cli.h
 * Sanitize username during initgroups call
 * Add online callback only once for TGT renewal
 * Delete cached ccache file if password is expired
 * Fix two typos
 * Add missing libsss_util to proxy provider
 * Fix proxy provider return code for secondary missing groups
 * Do not check pwdAttribute
 * Add sockaddr_storage to sdap_service
 * Add sdap_call_conn_cb() to call add connection callback directly
 * Use name based URI instead of IP address based URIs
 * Use ldap_init_fd() instead of ldap_initialize() if available
 * Do not access state after tevent_req_done() is called.
 * Call ldap_install_tls() on ldaps connections
 * Add support for experimental features
 * Add LDAP access control based on NDS attributes

pbrezina (1):
 * silence compilation warnings on RHEL5

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]