Hash: SHA1

The SSSD team is proud to announce the enhancement release 1.3.0 of the
System Security Services Daemon. As usual, it can be downloaded from

== Highlights ==
 * Rewrote the internal LDB cache API. As a synchronous API it is now
faster to access and easier to work with
 * Eugene Indenbom contributed a sizeable amount of code to the LDAP
  * We now handle failover situations much more reliably than we did
  * If a request fails partway through (due to a remote server ceasing
to function) we will now restart the conversation with the next server
in the failover list
  * We also will now monitor the GSSAPI kerberos ticket and
automatically renew it when appropriate, instead of waiting for a
connection to fail
 * Support for netlink now allows us to more quickly detect situations
where we may have come online
 * New option {{{dns_discovery_domain}}} allows better configuration for
using SRV records for failover
 * Fixes to the HBAC backend for obsolete or removed HBAC entries
 * Improvements to log messages around TLS and GSSAPI for LDAP
 * Support for building in environments using --as-needed LDFLAGS
 * Vast performance improvement for initgroups on RFC2307 LDAP servers
 * Long-running SSSD clients (e.g. GDM) will now reconnect properly to
the daemon if SSSD is restarted

== Detailed Changelog ==
Alexander Gordeev (1):
 * Add explicit requests for several operational attrs

David O'Brien (1):
 * Copy-edit and format review sssd.conf

Dmitri Pal (16):
 * Adding metadata interface
 * Adding content to the metadata
 * Resolve paths for reporting purposes
 * Acess control and config change checks
 * Add ability to trace 64bit numbers
 * Fixing spec file to match version.
 * Fixing build
 * Code restructuring
 * Extending refarray interface
 * Introducing a comment object
 * Adding support for explicit 32/64 types (attempt 2).
 * Addressing initialization issues.
 * Fixing types in queue and stack interfaces
 * Fixing memory leaks in the unit test.
 * Fixing NULL dereferencing in ini_config
 * Memory leak in case of empty value

Héctor Daniel Cabrera (3):
 * Updating ES translation
 * Updating es translation
 * Updating es translation

Jakub Hrozek (37):
 * Treat server names as case-insensitive in failover code
 * Do not mark a request as failed twice
 * Sort SRV replies according to RFC 2782
 * Remove freed server_common entities from list
 * Support SRV servers in failover
 * Silence warnings with -O2
 * Fix uninitialized variable
 * Add a README file
 * Use all available servers in LDAP provider
 * Improve the offline authentication message
 * Fix memory hierarchy in the ipa timerules
 * Use service discovery in backends
 * SSSDConfigAPI fixes
 * Try all servers during Kerberos auth
 * Remove dead code from the PAM responder
 * Man page fixes
 * Don't return uninitialized value in proxy provider
 * Skip empty attributes with warning
 * Fix realm_str dereference
 * Fix potential NULL dereference in fail_over.c
 * Fix Incorrect NULL check in get_server_common()
 * Add missing break to switch statement
 * get_uid_from_pid should use fstat rather than lstat
 * Remove krb5_changepw_principal option
 * Remove the -g option from useradd
 * Fix potential resource leak in copy_tree_ctx()
 * Potential memory leak in _nss_sss_*_r()
 * Check closedir call in find_uid
 * Print correct return code
 * Resend SIGINT as SIGTERM in services
 * Add dns_discovery_domain option
 * Use netlink to detect going online
 * Fix getting default realm in the ldap child
 * Validate keytab at startup
 * Fix two problems with --as-needed
 * Fix check_time_rule() return value on failure
 * Return proper error value when SRV lookup fails

Petter Reinholdtsen (2):
 * Allow Debian/Ubuntu build to pass --install-layout=deb to setup.py
 * Remove bash-isms from configure macros

Piotr Drąg (2):
 * Update Polish translation
 * Updating pl translation

Rui Gouveia (2):
 * Updating pt translation
 * Update pt translation

Simo Sorce (45):
 * sysdb: start conversion from async to sync
 * sysdb: use sysdb_delete_entry in recursive delete
 * sysdb: convert sysdb_delete_custom
 * sysdb: convert sysdb_search_entry and sysdb_delete_recursive
 * sysdb: convert sysdb_search_user_by_name/uid
 * sysdb: convert sysdb_search_group_by_name/gid
 * sysdb: convert sysdb_set_entry/user/group_attr
 * sysdb: convert sysdb_get_new_id
 * sysdb: convert sysdb_store/add(_basic)_user
 * sysdb: convert sysdb_store/add(_basic)_group
 * sysdb: convert sysdb_mod/add/remove_group_member
 * sysdb: convert sysdb_cache_password
 * sysdb: convert sysdb_search_custom
 * sysdb: convert sysdb_store_custom
 * sysdb: convert sysdb_asq_search
 * sysdb remove sldb_request_send, not used anymore
 * sysdb: convert sysdb_search_users
 * sysdb: convert sysdb_delete_user
 * sysdb: delete sysdb_delete_group
 * sysdb: convert sysdb_search_groups
 * sysdb: convert sysdb_cache_auth
 * sysdb: remove sysdb_check_handle
 * tests: remove use of asynchronus transactions
 * sysdb: add synchronous transaction functions
 * proxy: complete conversion to synchronous sysdb
 * Use the sysdb synchronous transaction functions
 * Remove remaining use of sysdb_transaction_send
 * sysdb: remove async transactions
 * sysdb: add automatic transactions where needed
 * sysdb: convert sysdb_getpwnam
 * sysdb: convert sysdb_getpwuid
 * sysdb: convert sysdb_getgrnam
 * sysdb: convert sysdb_getgrgid
 * sysdb: convert sysdb_get_user_attr
 * sysdb: convert sysdb_enumpwent
 * sysdb: convert sysdb_enumgrent
 * Adjust fill_pwent and fill_grent
 * sysdb: convert sysdb_initgroups
 * sysdb: remove obsolete helpers from sysdb
 * sysdb: remove remaining traces of sysdb_handle
 * sysydb: Finally stop using a common event context
 * Make groupshow synchronous.
 * tools: remove creation of event_context
 * Better handle sdap_handle memory from callers.
 * Avoid freeing sdap_handle too early

Stephen Gallagher (81):
 * Support docdir and abs_builddir
 * sysdb: convert sysdb_delete_entry
 * Bumping version on master to 1.2.90
 * Update translations for master branch
 * Fix merge error for sss_userdel.c
 * Remove unused configure macro
 * Fix warning in sysdb-tests.c
 * Fix ini_config unit test
 * Give information about ldap_schema in the sample config
 * Make ID provider init functions clearer
 * Remove the NSS_LIBS and KRB5_LIBS variables from sssd.spec
 * Add dns_resolver_timeout option
 * Fix segfault in GSSAPI reconnect code
 * Make krb5_kpasswd available for any krb5 provider
 * Clean up kdcinfo and kpasswdinfo files when exiting
 * Add callback when the ID provider switches from offline to online
 * Add dynamic DNS updates to FreeIPA
 * Revert "Add dynamic DNS updates to FreeIPA"
 * Properly set up SIGCHLD handlers
 * Add dynamic DNS updates to FreeIPA
 * Don't report a fatal error for an HBAC denial
 * Add a better error message for TLS failures
 * Add enumerate details to the manpage and examples
 * Revert "Copy pam data from DBus message"
 * Display name of PAM action in pam_print_data()
 * Make data provider id_callback public
 * Fix error reporting for be_pam_handler
 * Proxy provider PAM handling in child process
 * Support password changes in chpass_provider = proxy
 * Add ldap_access_filter option
 * Fix typo in Makefile
 * Fix broken build against older versions of OpenLDAP
 * Fix typo in Makefile.am
 * Disable connection callbacks when going online
 * Change default min_id to 1
 * Allow ldap_access_filter values wrapped in parentheses
 * Properly handle read() and write() throughout the SSSD
 * Fix misuse of errno in find_uid.c
 * Avoid potential NULL dereference
 * Properly handle missing originalMemberOf entry in initgroups
 * Don't leak directory access resources on errors in directory_list()
 * Check the correct variable for NULL after creating timer
 * Properly check that the timeout event was created for cleanup/enum
 * Check return code of hash_delete in proxy_child_destructor
 * Eliminate unused variable from pc_init_timeout()
 * Make sure to close varargs before returning from a function
 * Properly null-terminate socket path
 * Add ldap_force_upper_case_realm to example AD config
 * Don't segfault if ldap_access_filter is unspecified
 * Handle (ignore) unknown options in get_domain() and get_service()
 * Remove references to the DP service from the SSSDConfig API tests
 * Standardize on correct spelling of "principal" for krb5
 * Initialize len before looping to read the pidfile
 * Ensure that all domains are checked for users/groups
 * Refactor the negative cache
 * Move setup of filter_users and filter_groups to negcache.c
 * Honor filter_users in PAM
 * Fix potential resource leak in remove_tree_with_ctx()
 * Fix return value from remove_connection_callback() destructor
 * Protect against segfault in remove_ldap_connection_callbacks
 * Drop release requirement from versions
 * Bump libini_config version to 0.6.0
 * Replace %define with %global in example spec
 * Make RootDSE optional
 * Rename proxy_ctx to proxy_id_ctx for clarity
 * Split proxy.c into smaller files
 * Add try_inotify option
 * Release SSSD 1.2.91 (1.3.0rc1)
 * Add sss_log() function
 * Add log notifications for startup and shutdown.
 * Add syslog messages for LDAP GSSAPI bind
 * Log TLS errors to syslog
 * Require -ltalloc for tevent configure check
 * be_pam_handler(): Fix potential NULL dereference
 * Add sysdb_attrs_to_list() utility function
 * Add diff_string_lists utility function
 * Add sysdb_group_dn_name utility function
 * Add dup_string_list() utility function
 * Add sysdb_update_members function
 * Clean up initgroups processing for RFC2307
 * Releasing SSSD 1.3.0

Sumit Bose (52):
 * Revert "Add better checks on PAM socket"
 * Use SO_PEERCRED on the PAM socket
 * Set LDAP_OPT_RESTART for all LDAP connections
 * Fix a potential memory violation
 * Make the handling of fd events opaque
 * Unset authentication tokens if password change fails
 * Display a message if a password reset by root fails
 * Fix wrong return value
 * Fix a wrong return value in IPA HBAC
 * Split pam_data utilities into a separate file
 * Create kdcinfo and kpasswdinfo file at startup
 * Compare the full service name
 * Add retry option to pam_sss
 * Add more warnings about nearly expired passwords
 * Make Kerberos authentication a tevent_req
 * New version of IPA auth and password migration
 * Add ldap_krb5_ticket_lifetime option
 * Defer sbus_dispatch() for 30ms during reconnect
 * Copy pam data from DBus message
 * Do not modify IPA_DOMAIN when setting Kerberos realm
 * Handle Krb5 password expiration warning
 * Add support for delayed kinit if offline
 * Fix handling of ccache file when going offline
 * Move parse_args() to util
 * Copy pam data from DBus message
 * Revert "Create kdcinfo and kpasswdinfo file at startup"
 * Refactor data provider callbacks
 * Add offline callbacks
 * Refactor krb5_finalize()
 * Add run_callbacks flag
 * Add callback to remove krb5 info files when going offline
 * Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLE
 * Refactor krb5 SIGTERM handler installation
 * Add krb5 SIGTERM handler to ipa auth provider
 * Add offline callback to disconnect global SDAP handle
 * Reset run_online_cb flag even if there are no callbacks
 * Fix check if LDAP id provider is already initialized
 * Remove signal event if child was terminated by a signal
 * Check ipaEnabledFlag
 * Add sysdb_attrs_get_string_array()
 * Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el()
 * Use new schema for HBAC service checks
 * Remove service groups
 * Compare full service name
 * Unify sdap and sysdb data handling
 * Initialize pam_data in Kerberos child.
 * Avoid a potential double-free
 * Add a missing initializer
 * Add a missing free()
 * Fix SASL authentication
 * Do not treat missing HBAC rules as an error
 * Allow sssd clients to reconnect

Yuri Chornoivan (2):
 * Update Ukrainian translation
 * Updating uk translation

eindenbom (15):
 * Avoid accessing half-deallocated memory when using talloc_zfree macro.
 * GSSAPI ticket expiry time is returned from ldap_child and stored in
sdap_handle for future reference.
 * Added an interface to query number of configured (and currently
resolved through SRV records) failover servers.
 * LDAP connection usage tracking, sharing and failover retry framework.
 * Add an interface to try next fail-over server after connection to the
active server was unexpectedly dropped.
 * Use new LDAP connection framework to get user account info from LDAP.
 * Use new LDAP connection framework to get group account info from LDAP.
 * Use new LDAP connection framework to get user account groups from LDAP.
 * Use new LDAP connection framework for LDAP user and group enumeration.
 * Use new LDAP connection framework in LDAP access backend.
 * Use new LDAP connection framework in IPA access backend.
 * Use new LDAP connection framework in IPA dynamic DNS forwarder.
 * Remove remainder of now unused global LDAP connection handle.
 * Eliminate delayed sdap_handle destruction after fail-over retry.
 * Fix IPA access backend handling of obsolete and missing HBAC entries:

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


Freeipa-interest mailing list

Reply via email to