=== SSSD 1.11.3 ===

The SSSD team is proud to announce the release of version 1.11.3 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==
* This release mostly focuses on bug fixes, especially in the AD provider
* The AD provider is able to resolve group memberships for groups with
  Global and Universal scope
* The initgroups (get groups for user) operation for users from trusted
  AD domains was made more reliable by reading the required tokenGroups
  attribute from LDAP instead of Global Catalog
* A new option ad_enable_gc was added to the AD provider. This option
  allows the administrator to force SSSD to talk to LDAP port only and never
  try the Global Catalog
* The AD provider is now able to leverage the tokenGroups attribute even
  when POSIX attributes are used, providing better performance during logins.
* A memory leak in the NSS responder that affected long-lived clients that
  requested netgroup data was fixed

== Documentation Changes ==
* A new option ldap_group_type was added to LDAP, IPA and AD providers
* A new option ad_enable_gc was added to the AD provider

== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1568
    [RFE] AD Provider should use tokenGroups with non-ID-mapping
https://fedorahosted.org/sssd/ticket/2077
    [RFE] If originalDN is not available during LDAP auth, the SSSD should look 
it up
https://fedorahosted.org/sssd/ticket/2132
    Improve detection of the right domain when processing group with members 
from several domains
https://fedorahosted.org/sssd/ticket/2133
    sss_idmap: add API to free objects allocated by the library
https://fedorahosted.org/sssd/ticket/2137
    SSSD fails to fetch netgroup information with setnetgrent failed error
https://fedorahosted.org/sssd/ticket/2138
    Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised 
byte(s)"
https://fedorahosted.org/sssd/ticket/2145
    Push patch to bump version-info of libsss_idmap
https://fedorahosted.org/sssd/ticket/2146
    sssd can't retrieve auto.master when using the "default_domain_suffix" 
option in
https://fedorahosted.org/sssd/ticket/2147
    sssd_be crashes on manually adding a cleartext password to 
ldap_default_authtok
https://fedorahosted.org/sssd/ticket/2148
    Individual group search returned multiple results in GC lookups
https://fedorahosted.org/sssd/ticket/2154
    Incorrect mention of access_filter in sssd-ad manpage
https://fedorahosted.org/sssd/ticket/2156
    Non descriptive error message when sssd.conf is missing completely
https://fedorahosted.org/sssd/ticket/2157
    sssd_be segfaults if empty grop is resolved using ad_matching_rule
https://fedorahosted.org/sssd/ticket/2161
    tokenGroups do not work reliable with Global Catalog
https://fedorahosted.org/sssd/ticket/2165
    Update Gentoo init script
https://fedorahosted.org/sssd/ticket/2168
    If SSSD starts offline, subdomains list is never read.
https://fedorahosted.org/sssd/ticket/2170
    sssd_nss grows memory footprint when netgroups are requested
https://fedorahosted.org/sssd/ticket/2173
    sssd_be crashes occasionally
https://fedorahosted.org/sssd/ticket/2178
    AD groups with domain-local scope should be filtered out for trusted domains

== Detailed Changelog ==
Aron Parsons (1):
      * do not use default_domain_suffix with autofs

Jakub Hrozek (14):
      * Updating the version for the 1.11.3 release
      * Initialize sid_str to NULL to avoid freeing random data
      * LDAP: Split out a request to search for a user w/o saving
      * LDAP: Search for original DN during auth if it's missing
      * AD: Fix a typo in the man page
      * LDAP: Initialize user count for AD matching rule
      * SUBDOMAINS: Reuse cached results if DP is offline
      * AD: Refresh subdomain data structures on startup
      * IPA: Refresh subdomain data structures on startup
      * IPA: Call ipa_ad_subdom_refresh when server mode is initialized
      * AD: Add a utility function to create list of connections
      * AD: Add a new option to turn off GC lookups
      * AD: Enable fallback to LDAP of trusted domain
      * Updating translations for the 1.11.3 release

Jan Engelhardt (1):
      * build: fix ordering of linker flags

Lukas Slebodnik (7):
      * NSS: Set packet length for initgroups
      * LDAP: Prevent from using uninitialized sdap_options
      * SYSDB: Skip malformed netgroup attribute.
      * SYSDB: Sanitize filter before sysdb_search_groups
      * SYSDB: Sanitize filter before removing ghost attrs
      * NSS: Fix memory leak in sss_setnetgrent
      * AUTOTOOLS: krb5 1.12 is also supported krb5 libs

Markos Chandras (2):
      * sysv/gentoo: Use xdm if possible
      * sysv/gentoo: Send debug output to a file instead of stderr

Pavel Březina (11):
      * idmap: add API to free allocated SIDs
      * free idmapped SIDs correctly
      * free idmapped dom SIDs correctly
      * free idmapped smb SIDs correctly
      * free idmapped binary SIDs correctly
      * pac: fix double free
      * pac: fix potential memory leaks
      * failover: check dns_domain if primary servers lookup failed
      * ad: refactor tokengroups initgroups
      * ad: use tokengroups even when id mapping is disabled
      * Bump sss_idmap version to 3:0:3

Pavel Reichl (3):
      * monitor: Specific error message for missing sssd.conf
      * SSSD: Improved domain detection
      * SSSD: Unit test - sss_ldap_dn_in_search_bases

Sumit Bose (10):
      * AD: use LDAP for group lookups
      * sss_cache: initialize names member of sss_domain_info
      * sss_cache: fix case-sensitivity issue
      * Add sysdb_attrs_add_lc_name_alias
      * Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias
      * Use lower-case name for case-insensitive searches
      * Add new option ldap_group_type
      * Add sysdb_attrs_get_int32_t
      * AD: filter domain local groups for trusted/sub domains
      * AD: cross-domain membership fix

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to