-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The SSSD team is proud to announce the latest enhancement release of the System Security Services Daemon.
The source tarball is available at https://fedorahosted.org/sssd == Highlights == * Fixed issues with LDAP search filters that needed to be escaped * Add Kerberos FAST support on platforms that support it * Reduced verbosity of PAM_TEXT_INFO messages for cached credentials * Added a Kerberos access provider to honor .k5login * Addressed several thread-safety issues in the sss_client code * Improved support for delayed online Kerberos auth * Significantly reduced time between connecting to the network/VPN and acquiring a TGT * Added feature for automatic Kerberos ticket renewal * Provides the kerberos ticket for long-lived processes or cron jobs even when the user logs out * Added several new features to the LDAP access provider * Support for 'shadow' access control * Support for authorizedService access control * Ability to mix-and-match LDAP access control features * Added an option for a separate password-change LDAP server for those platforms where LDAP referrals are not supported * Added support for manpage translations == Detailed Changelog == Jakub Hrozek (5): * Always use uint32_t for UID/GID numbers * Internal DNS resolver should check /etc/hosts * Allow protocol fallback for SRV queries * Make manual pages translatable * Add Czech translation Jan Zeleny (1): * Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip. Marko Myllynen (1): * Fix a typo in sssd-krb5 man page Moritz Baumann (1): * Fix misused SDAP_SEARCH_BASE Piotr Drąg (1): * Updating pl translation Simo Sorce (6): * sss_client: make code thread-safe * Pass sdap_id_ctx in sdap_id_op functions. * ldap: remove variable that was never assigned nor used * ldap: add checks to determine if USN features are available. * ldap: Use USN entries if available. * Fix wrong test in pam_sss Stephen Gallagher (58): * Write log opening failures to the syslog * Improve versioning for automated builds * Bumping version to 1.5.0 dev * Fix incorrect free of req in krb5_auth.c * Don't clean up groups for which a user has it as primary GID * Handle errors during log reopening better * Properly check the return value from semanage_commit * Add utility function to sanitize LDAP/LDB filters * Add sysdb utility function for sanitizing DN * Sanitize search filters for the sysdb * Sanitize sysdb search filters in the IPA provider * Sanitize sysdb filters in the LDAP provider * Sanitize sysdb DN helpers * Sanitize search filters in memberOf plugin * Sanitize sysdb dn for memberof lookup * Add unit tests for users and groups with odd characters * Sanitize search filters in LDAP provider * Properly document ldap_purge_cache_timeout * Sanitize ldap attributes in the config file * Fix cast warning for pam_sss.c * Fix const cast warning for sysdb_update_members * Fix const cast warning in build_attrs_from_map * Fix const cast issue with sysdb_attrs_users_from_str_list * Fix const cast warning in confdb_create_ldif * Fix const cast warnings in tests * Fix incorrect type comparison * Log startup errors to syslog * Ensure that SSSD shuts down completely before restarting * Fix authentication queue code for proxy auth * Wait for all children to exit * Add signal documentation to sssd(8) * Print correct error messages for dp_err_to_string() * Make default SIGTERM and SIGINT handlers use tevent * Resend SIGTERM if child doesn't terminate * Set up signal handlers before initializing sysdb * Make sure that sss_obfuscate installs as executable * Move sss_* tools into their own subpackage * Remove IPA_ACCESS_TIME define * Add group support to the simple access provider * Fix timeouts for DNS resolver * Reschedule the fd timeout for secondary lookups * Eliminate possible NULL-dereference in pam_check_user_search * Add missing break statement to sss_hash_create * Prevent uninitialized value error in monitor_quit * Fix invalid sizeof in pidfile * Fix segfault for PAM_TEXT_INFO conversations * Fix unchecked return value in sss_krb5_verify_keytab_ex * Fix unsafe return condition in ipa_access_handler * Fix uninitialized value error in set_local_and_remote_host_info * Fix unchecked return value in test_sysdb_attrs_to_list * Fix unchecked return value in set_nonblocking * Start first enumeration immediately * Add sysdb_has_enumerated and sysdb_set_enumerated helper functions * Pass all PAM data to the LDAP access provider * Add authorizedService support * Ensure ID is checked in all domains for PAM * Update the ID cache for any PAM request * Committing new translation updates for release Sumit Bose (79): * Add ldap_deref option * Add some missing ldap_memfree() * Download only enabled IPA HBAC rules * Add netgroups infrastructure to proxy provider * Implement netgroups for proxy provider * Remove all nss requests after a reconnect * Always use talloc_zero() to allocate cmdctx * Fix double free issue * Allow authentication for referrals * Mention ding-libs in BUILD.txt * Fix two return value checks * Store krb5 auth context for other targets * Add infrastructure for Kerberos access provider * Add krb5_get_simple_upn() * Make krb5_setup() public * Add krb5_kuserok() access check to krb5_child * Make handle_child_* request public * Call krb5_child to check access permissions * Add defaultNamingContext to RootDSE attributes * Use (default)namingContext to set empty search bases * Make ldap_search_base a non-mandatory option * Review comments for namingContexts patches * Avoid long long in messages to PAM client use int64_t * Introduce pam_verbosity config option * Add missing error code * Fix offline detection for LDAP auth/chpass * Fix man page * Use a more efficient host search filter * Add SIGUSR2 to reset offline status * fix typo in get_server_status() * Fix a typo on setup_netlink() * Daemonize by default * Run checks before resetting offline state * Fix offline detection in sdap_cli_connect request * Add check_online method to LDAP ID provider * Add a special filter type to handle enumerations * Send authtok_type to krb5_child * Add a renew task to krb5_child * Check authtok type for krb5 auth and chpass * Add krb5_renewable_lifetime option * Add krb5_lifetime option * Add support for server-side pam response messages * krb5_child returns TGT lifetime * Add support for automatic Kerberos ticket renewal * Allow krb5 lifetime values without a unit * Make string_to_shadowpw_days() public * Add new account expired rule to LDAP access provider * Add ldap_chpass_uri config option * Refactor krb5_child to make helpers more flexible * Add support for FAST in krb5 provider * Mark unavailable Kerberos server as PORT_NOT_WORKING * Replace krb5_kdcip by krb5_server in LDAP provider * Fix build issue with older Kerberos library * Remove check_access_time() from IPA access provider * Bye, bye, ipa_timerules * Fix unchecked return value in sdap_get_msg_dn() * Fix unchecked return value in sdap_parse_entry() * Remove unused newauthtok variable in LOCAL_pam_handler * Fix improper NULL check in fo_add_srv_server() * Fix incorrect return value on failure in resolve_get_domain_send() * Fix incorrect return value on failure in check_and_export_options() * Fix uninitialized value error in sdap_account_expired_shadow() * Fix uninitialized value error in setup_test in fail_over-tests.c * Fix improper bit manipulation in pam_sss * Fix possible memory leak in sss_nss_recv_rep() * Fix uninitialized value error in main() in stress-tests.c * Fix possible memory leak in do_pam_conversation * Fix another possible memory leak in sss_nss_recv_rep() * Fix memory leak of library handle in proxy * Fix uninitialized value error in lookup_netgr_step() * Fix possible NULL-dereference in lookup_netgr_step() * Avoid multiple initializations in LDAP provider * Introduce sss_hash_create_ex() * Fixes for automatic ticket renewal * Serialize requests of the same user in the krb5 provider * Update config API files * Add all values of a multi-valued user attribute * Remove unused member of a struct * Fix potential NULL-dereference in krb5_auth_done() Yuri Chornoivan (1): * Updating uk translation - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0SSPgACgkQeiVVYja6o6NB5gCdFbTQxLCNdOOOM87A2Ieh7iA5 yZQAoKL/YL8VZb2jFe2QzADqi0ci8SOB =3C8c -----END PGP SIGNATURE----- _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest