SSSD 1.15.2

The SSSD team is proud to announce the release of version 1.15.2 of the
System Security Services Daemon.

The tarball can be downloaded from

RPM packages will be made available for Fedora shortly.

Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:

 * It is now possible to configure certain parameters of a trusted domain
   in a configuration file sub-section. In particular, it is now possible
   to configure which Active Directory DCs the SSSD talks to with a
   configuration like this::

    # IPA domain configuration. This domain trusts a Windows domain win.test

    ad_server =

 * Several issues related to socket-activating the NSS service, especially
   if SSSD was configured to use a non-privileged userm were fixed.
   The NSS service now doesn't change the ownership of its log files to
   avoid triggering a name-service lookup while the NSS service is not
   running yet. Additionally, the NSS service is started before any other
   service to make sure username resolution works and the other service
   can resolve the SSSD user correctly.

 * A new option "cache_first" allows the administrator to change the way
   multiple domains are searched. When this option is enabled, SSSD will
   first try to "pin" the requested name or ID to a domain by searching
   the entries that are already cached and contact the domain that contains
   the cached entry first. Previously, SSSD would check the cache and the
   remote server for each domain. This option brings performance benefit
   for setups that use multiple domains (even auto-discovered trusted
   domains), especially for ID lookups that would previously iterate over
   all domains. Please note that this option must be enabled with care as the
   administrator must ensure that the ID space of domains does not overlap.

 * The SSSD D-Bus interface gained two new methods:
   "FindByNameAndCertificate" and "ListByCertificate". These methods
   will be used primarily by IPA and
   `mod_lookup_identity <>
   to correctly match multple users who use the same certificate for Smart
   Card login.

 * A bug where SSSD did not properly sanitize a username with a newline
   character in it was fixed.

Packaging Changes
None in this release

Documentation Changes
 * A new option "cache_first" was added. Please see the Highlights
   section for more details

 * The "override_homedir" option supports a new template expansion "l"
   that expands to the first letter of username

Tickets Fixed
Please note that due to a bug in the tracker, some tickets that
have dependencies set to other tickets cannot be closed at the moment.

 * <> - Newline characters (\n) must be 
sanitized before LDAP requests take place
 * <> - sssd-secrets doesn't exit on idle 
 * <> - sssd ignores entire groups from 
proxy provider if one member is listed twice 
 * <> - when group is invalidated using 
sss_cache dataExpireTimestamp entry in the domain and timestamps cache are 
 * <> - [RFE] Add more flexible 
templating for override_homedir config option 
 * <> - Make it possible to configure AD 
subdomain in the server mode 
 * <> - chown in ExecStartPre of 
sssd-nss.service hangs forever 
 * <>  - Login time increases strongly if 
more than one domain is configured 
 * <> - use the sss_parse_inp request in 
other responders than dbus 

Detailed Changelog
* Fabiano Fidêncio (7):

      * RESPONDER: Wrap up the code to setup the idle timeout
      * SECRETS: Shutdown the responder in case it becomes idle
      * CACHE_REQ: Move cache_req_next_domain() into a new tevent request
      * CACHE_REQ: Check the caches first
      * NSS: Don't set SocketUser/SocketGroup as "sssd" in sssd-nss.socket
      * NSS: Ensure the NSS socket is started before any other services' sockets
      * NSS: Don't call chown on NSS service's ExecStartPre

* Ignacio Reguero (1):

      * UTIL: first letter of user name template for override_homedir

* Jakub Hrozek (9):

      * Updating the version for the 1.15.2 release
      * Allow manual start for sssd-ifp
      * NSS: Fix invalidating memory cache for subdomain users
      * UTIL: Add a new macro SAFEALIGN_MEMCPY_CHECK
      * UTIL: Add a generic iobuf module
      * BUILD: Detect libcurl during configure
      * UTIL: Add a libtevent libcurl wrapper
      * TESTS: test the curl wrapper with a command-line tool
      * Updating the translations for the 1.15.2 release

* Justin Stephenson (1):

      * MAN: Add dyndns_auth option

* Lukas Slebodnik (3):

      * test_secrets: Fail in child if sssd_secrets cannot start
      * test_utils: Add test coverage for %l in override_homedir
      * util-test: Extend unit test for sss_filter_sanitize_ex

* Michal Židek (4):

      * data_provider: Fix typo in DEBUG message
      * SUBDOMAINS: Configurable search bases
      * SUBDOMAINS: Allow options ad(_backup)_server
      * MAN: Add trusted domain section man entry

* Pavel Březina (4):

      * cache_req: use rctx as memory context during midpoint refresh
      * CACHE_REQ: Make "cache_req_{create_and_,}add_result()" more generic
      * CACHE_REQ: Move result manipulation into a separate module
      * CACHE_REQ: shortcut if object is found

* Petr Čech (2):

      * sss_cache: User/groups invalidation in domain cache
      * PROXY: Remove duplicit users from group

* Sumit Bose (7):

      * sysdb: allow multiple results for searches by certificate
      * cache_req: allow multiple matches for searches by certificate
      * ifp: add ListByCertificate
      * ifp: add FindByNameAndCertificate
      * PAM: allow muliple users mapped to a certificate
      * nss: ensure that SSS_NSS_GETNAMEBYCERT only returns a unique match
      * IPA: get overrides for all users found by certificate

* Thorsten Scherf (1):

      * Fixed typo in debug output

* Victor Tapia (1):

      * UTIL: Sanitize newline and carriage return characters.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to