=== SSSD 1.11.7 ===

The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19 and 20 shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==

* This release focuses on delivering bug fixes and smaller features backported
  from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
  the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
  Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
  membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
  resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
  provider), any returned referral would be ignored. Previously, the back
  end would switch to offline mode on encountering a referral.

== Documentation Changes ==

* A new option override_space was added. When this option is set, a space
  character in user or group names is replaced by the character specified
  in this option
* A small random value is now added to the offline_timeout parameter value
  to avoid flooding servers with periodical online checks

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/1854
   [RFE] Add option for sssd to replace space with specified character in LDAP 
group
https://fedorahosted.org/sssd/ticket/2212
   [RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no 
ldap_sudorule_runasuser mapping has been defined in SSSD
https://fedorahosted.org/sssd/ticket/2323
   Expired shadow policy user(shadowLastChange=0) is not prompted for password 
change
https://fedorahosted.org/sssd/ticket/2343
   CVE-2014-0249 sssd: incorrect expansion of group membership when 
encountering a non-POSIX group [fedora-all]
https://fedorahosted.org/sssd/ticket/2345
   tokengroups do not work with id_provider=ldap
https://fedorahosted.org/sssd/ticket/2349
   public key validator is too strict and does not allow newlines anywhere in 
the public key string, not even at the end
https://fedorahosted.org/sssd/ticket/2355
   Requests queued during transition from offline to online mode
https://fedorahosted.org/sssd/ticket/2360
   The SSSD dbus service should retry system bus connection if it fails
https://fedorahosted.org/sssd/ticket/2364
   RFE: Be able to configure sssd to honor openldap account lock to restrict 
access via ssh key
https://fedorahosted.org/sssd/ticket/2377
   sudo: invalid sudoHost filter with asterisk
https://fedorahosted.org/sssd/ticket/2380
   Race condition in the client code
https://fedorahosted.org/sssd/ticket/2383
   dereferencing control failure against openldap server
https://fedorahosted.org/sssd/ticket/2385
   ad: group membership is empty when id mapping is off and tokengroups are 
enabled
https://fedorahosted.org/sssd/ticket/2389
   Problems with tokengroups and ldap_group_search_base
https://fedorahosted.org/sssd/ticket/2390
   Failover does not always happen from SRV to hostname resolution(via 
/etc/hosts)
https://fedorahosted.org/sssd/ticket/2391
   sssd_be segfaults in ldb_msg_find_element
https://fedorahosted.org/sssd/ticket/2397
   Auth fails when space in username is replaced with character set by 
override_default_whitespace
https://fedorahosted.org/sssd/ticket/2399
   RHEL6.6 sssd not running after upgrade
https://fedorahosted.org/sssd/ticket/2400
   sssd can't retrieve sudo rules when using the "default_domain_suffix" option
https://fedorahosted.org/sssd/ticket/2401
   clarify the offline timeout in man page
https://fedorahosted.org/sssd/ticket/2402
   IFP: FQDN lookups are broken
https://fedorahosted.org/sssd/ticket/2405
   use-after-free in dyndns code
https://fedorahosted.org/sssd/ticket/2406
   Saving group membership fails if provider is AD, POSIX attributes are used 
and primary group contains the user as a member
https://fedorahosted.org/sssd/ticket/2407
   simple_allow_groups does not lookup groups from other AD domains
https://fedorahosted.org/sssd/ticket/2409
   On error, libnss_sss can mistakenly close descriptors it doesn't "own"
https://fedorahosted.org/sssd/ticket/2410
   Race condition between sudo refresh
https://fedorahosted.org/sssd/ticket/2418
   sssd does not recognize Windows server 2012 R2's LDAP as AD
https://fedorahosted.org/sssd/ticket/2421
   Dereference code errors out when dereferencing entries protected by ACIs
https://fedorahosted.org/sssd/ticket/2436
    ipa user private group not found

== Detailed Changelog ==

Ian Lee (1):
    * Add user lookup and session dependencies to systemd service file. 

Jakub Hrozek (32):
    * Updating the version for the 1.11.7 release
    * BUILD: dbusintrospectdir is not used anymore
    * IFP: Fix DEBUG messages
    * IFP: Return a specific value on failure connecting to the system bus
    * IFP: Provide a SBUS method to reconnect to sysbus
    * MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
    * TOOLS: New helper tool sss_signal
    * BUILD: Add the DBus service activation
    * IFP: Fix lookups with fully-qualified names
    * RPM: Restart service in %posttrans, not %post
    * NSS: Ignore default_domain for netgroups
    * Only replace space with the specified substitution
    * Make the space override responder-agnostic
    * PAM: Use the override_space option
    * IFP: Use the override_space option
    * SUDO: Use the override_space option
    * IPA: handle searches by SID in apply_subdomain_homedir
    * Revert "IPA: new attribute map for non-posix groups"
    * Revert "IPA: process non-posix nested groups"
    * Revert "IPA: try to resolve nested groups as poxix group"
    * LDAP: Do not shortcut on ret != EOK during password expiry check
    * LDAP: Split out linking primary group members into a separate function
    * LDAP: Don't add a user member twice when adding a primary group
    * LDAP: Use tmp_ctx in ldap_child for temporary data
    * LDAP: Use randomized ccname for storing credentials
    * LDAP: Add Windows Server 2012 R2 functional level
    * LDAP: Fall back to functional level of Windows Server 2003
    * LDAP: Enable tokenGroups with Windows Server 2003
    * LDAP: Ignore returned referrals if referral support is disabled
    * LDAP: Skip dereferenced entries that we are not permitted to read
    * Ignore referrals in deref and ASQ, too
    * Updating the translations for the 1.11.7 release 

Jan Cholasta (1):
    * SSH: Allow newline at the end of public key values in LDAP 

Lukas Slebodnik (19):
    * Don't use macro _XOPEN_SOURCE for function strptime
    * sss_client: thread safe initialisation of sss_cli_mc_ctx
    * sss_client: Fix memory leak in nss_mc_{group,passwd}
    * LDAP: Remove unused option ldap_netgroup_uuid
    * LDAP: Remove unused option ldap_group_uuid
    * LDAP: Remove unused option ldap_user_uuid
    * test_utils: Use common header file for libsss_util tests.
    * UTIL: Add functions for replacing whitespaces.
    * NSS: Replace spaces with specified string in names.
    * dyndns_test: Use right socket length of for IPv4 address.
    * responder-get-domains-tests: fix checking of leaks
    * test_dyndns: Use different talloc context in wrapped functions.
    * TESTS: leak_check functions shouldn't be called with NULL context
    * dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
    * test_dyndns: sss_iface_addr_list_get can return more values
    * SDAP: free subrequest in sdap_dyndns_update_addrs_done
    * SDAP: Immediately finish request for empty array
    * SDAP: Use different talloc_context for array of names
    * SDAP: Update groups for user just once. 

Michal Zidek (6):
    * ptask: Allow adding random_offset to scheduled execution time
    * ptask: Add backoff feature to the ptask api.
    * Exit offline mode only if server is available.
    * MAN: How much time sssd spends offline
    * Add alternative objectClass to group attribute maps
    * Use the alternative objectclass in group maps. 

Michal Šrubař (1):
    * LDAP SUDO: sudo provider doesn't fetch 'EntryUSN' 

Nalin Dahyabhai (1):
    * sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors 

Nikolai Kondrashov (1):
    * build: Switch back to DISTCHECK_CONFIGURE_FLAGS 

Pavel Březina (9):
    * sbus_request: fix potential NULL dereference
    * ad: comment ENOENT when id mapping is disabled
    * ad: update membership after SIDs are resolved
    * sudo: fetch sudoRunAs attribute
    * sudo: use dbus array for rules refresh
    * sudo: replace asterisk with escape sequence in host filter
    * failover: set port status to not working if previous srv lookup failed
    * ad initgroups: continue if resolved SID is still missing
    * sudo: work with correct D-Bus iterator 

Pavel Reichl (18):
    * TESTS: sss_ssh - textual public key format
    * LDAP: tokengroups do not work with id_provider=ldap
    * SDAP: Continue resolving SID even if some fail
    * IPA: new attribute map for non-posix groups
    * IPA: process non-posix nested groups
    * IPA: try to resolve nested groups as poxix group
    * SDAP: split sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_send
    * SDAP: nitpicks in sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_done
    * SDAP: don't log error on access denied
    * SDAP: refactor AC offline checks
    * SDAP: new option - DN to ppolicy on LDAP
    * SDAP: account lockout to restrict access via ssh key
    * MAN: options 'lockout' and 'ldap_pwdlockout_dn'
    * IPA: process non-posix nested groups
    * AD: process non-posix nested groups w/o tokenGroups
    * AD: process non-posix nested groups using tokenGroups 

Sumit Bose (1):
    * Replace space: add some checks 

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to