All, This improved AD domain controller seems like an excellent solution to a problem we face periodically in our company. In our DMZs, 90% of the DCs are blocked; only a few are accessible. Previously, it seems like sssd did a CLAP ping to about 5 DCs. If none of those 5 were accessible, game over.
We could hard-code the accessible DCs in the sssd.conf file, but that's ugly. And the AD team swaps in and out AD DCs periodically. What we've really do in this situation is remove sssd and use our older (commercial) AD integration tool, which does this new sssd algorithm -- CLDAP ping all DCs in parallel. So this older client works in a DMZ. Now sssd 2.4.0 will as well. Well done! Spike On Mon, Oct 12, 2020 at 5:46 AM Pavel Březina <pbrez...@redhat.com> wrote: > # SSSD 2.4.0 > > The SSSD team is proud to announce the release of version 2.4.0 of the > System Security Services Daemon. The tarball can be downloaded from: > https://github.com/SSSD/sssd/releases/tag/sssd-2_4_0 > > See the full release notes at: > https://sssd.io/docs/users/relnotes/notes_2_4_0 > > RPM packages will be made available for Fedora shortly. > > ## Feedback > > Please provide comments, bugs and other feedback via the sssd-devel > or sssd-users mailing lists: > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > ## Highlights > > - `libnss` support was dropped, SSSD now supports only `openssl` > cryptography > > ### New features > > - Session recording can now exclude specific users or groups when > `scope` is set to `all` (see `exclude_users` and `exclude_groups` options) > - Active Directory provider now sends CLDAP pings over UDP protocol to > Domain Controllers in parallel to determine site and forest to speed up > server discovery > > ### Packaging changes > > - python2 bindings are disable by default, use `--with-python2-bindings` > to build it > > ### Documentation Changes > > - Default value of `client_idle_timeout` changed from 60 to 300 seconds > for KCM, this allows more time for user interaction (e.g. during `kinit`) > - Added `exclude_users` and `exclude_groups` option to > `session_recording` section, this allows to exclude user or groups from > session recording when `scope` is set to `all` > - Added `ldap_library_debug_level` option to enable debug messages from > `libldap` > - Added `dyndns_auth_ptr` to set authentication mechanism for PTR DNS > records update > - Added `ad_allow_remote_domain_local_groups` to be compatible with > other solutions > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
