=== SSSD 1.11.3 ===

The SSSD team is proud to announce the release of version 1.11.3 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
* This release mostly focuses on bug fixes, especially in the AD provider
* The AD provider is able to resolve group memberships for groups with
  Global and Universal scope
* The initgroups (get groups for user) operation for users from trusted
  AD domains was made more reliable by reading the required tokenGroups
  attribute from LDAP instead of Global Catalog
* A new option ad_enable_gc was added to the AD provider. This option
  allows the administrator to force SSSD to talk to LDAP port only and never
  try the Global Catalog
* The AD provider is now able to leverage the tokenGroups attribute even
  when POSIX attributes are used, providing better performance during logins.
* A memory leak in the NSS responder that affected long-lived clients that
  requested netgroup data was fixed

== Documentation Changes ==
* A new option ldap_group_type was added to LDAP, IPA and AD providers
* A new option ad_enable_gc was added to the AD provider

== Tickets Fixed ==
    [RFE] AD Provider should use tokenGroups with non-ID-mapping
    [RFE] If originalDN is not available during LDAP auth, the SSSD should look 
it up
    Improve detection of the right domain when processing group with members 
from several domains
    sss_idmap: add API to free objects allocated by the library
    SSSD fails to fetch netgroup information with setnetgrent failed error
    Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised 
    Push patch to bump version-info of libsss_idmap
    sssd can't retrieve auto.master when using the "default_domain_suffix" 
option in
    sssd_be crashes on manually adding a cleartext password to 
    Individual group search returned multiple results in GC lookups
    Incorrect mention of access_filter in sssd-ad manpage
    Non descriptive error message when sssd.conf is missing completely
    sssd_be segfaults if empty grop is resolved using ad_matching_rule
    tokenGroups do not work reliable with Global Catalog
    Update Gentoo init script
    If SSSD starts offline, subdomains list is never read.
    sssd_nss grows memory footprint when netgroups are requested
    sssd_be crashes occasionally
    AD groups with domain-local scope should be filtered out for trusted domains

== Detailed Changelog ==
Aron Parsons (1):
      * do not use default_domain_suffix with autofs

Jakub Hrozek (14):
      * Updating the version for the 1.11.3 release
      * Initialize sid_str to NULL to avoid freeing random data
      * LDAP: Split out a request to search for a user w/o saving
      * LDAP: Search for original DN during auth if it's missing
      * AD: Fix a typo in the man page
      * LDAP: Initialize user count for AD matching rule
      * SUBDOMAINS: Reuse cached results if DP is offline
      * AD: Refresh subdomain data structures on startup
      * IPA: Refresh subdomain data structures on startup
      * IPA: Call ipa_ad_subdom_refresh when server mode is initialized
      * AD: Add a utility function to create list of connections
      * AD: Add a new option to turn off GC lookups
      * AD: Enable fallback to LDAP of trusted domain
      * Updating translations for the 1.11.3 release

Jan Engelhardt (1):
      * build: fix ordering of linker flags

Lukas Slebodnik (7):
      * NSS: Set packet length for initgroups
      * LDAP: Prevent from using uninitialized sdap_options
      * SYSDB: Skip malformed netgroup attribute.
      * SYSDB: Sanitize filter before sysdb_search_groups
      * SYSDB: Sanitize filter before removing ghost attrs
      * NSS: Fix memory leak in sss_setnetgrent
      * AUTOTOOLS: krb5 1.12 is also supported krb5 libs

Markos Chandras (2):
      * sysv/gentoo: Use xdm if possible
      * sysv/gentoo: Send debug output to a file instead of stderr

Pavel Březina (11):
      * idmap: add API to free allocated SIDs
      * free idmapped SIDs correctly
      * free idmapped dom SIDs correctly
      * free idmapped smb SIDs correctly
      * free idmapped binary SIDs correctly
      * pac: fix double free
      * pac: fix potential memory leaks
      * failover: check dns_domain if primary servers lookup failed
      * ad: refactor tokengroups initgroups
      * ad: use tokengroups even when id mapping is disabled
      * Bump sss_idmap version to 3:0:3

Pavel Reichl (3):
      * monitor: Specific error message for missing sssd.conf
      * SSSD: Improved domain detection
      * SSSD: Unit test - sss_ldap_dn_in_search_bases

Sumit Bose (10):
      * AD: use LDAP for group lookups
      * sss_cache: initialize names member of sss_domain_info
      * sss_cache: fix case-sensitivity issue
      * Add sysdb_attrs_add_lc_name_alias
      * Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias
      * Use lower-case name for case-insensitive searches
      * Add new option ldap_group_type
      * Add sysdb_attrs_get_int32_t
      * AD: filter domain local groups for trusted/sub domains
      * AD: cross-domain membership fix

Freeipa-interest mailing list

Reply via email to