2018-04-27 - email@example.com
- Update to new minor upstream release 1.16.1 (fate#323340):
* A new option auto_private_groups was added. If this option is
enabled, SSSD will automatically create user private groups based
on user?s UID number. The GID number is ignored in this case.
* The SSSD smart card integration now supports a special type of PAM
conversation implemented by GDM which allows the user to select
the appropriate smrt card certificate in GDM.
* A new API for accessing user and group information was added.
This API is similar to the tradiional Name Service Switch API, but
allows the consumer to talk to SSSD directly as well as to
fine-tune the query with e.g. how cache should be evaluated.
* The sssctl command line tool gained a new command access-report,
which can generate who can access the client machine. Currently
only generating the report on an IPA client based on HBAC rules
* The hostid provider was moved from the IPA specific code to
the generic LDAP code. This allows SSH host keys to be access by
the generic LDAP provider as well. See the ldap_host_* options in
the sssd-ldap manual page for more details.
* Setting the memcache_timeout option to 0 disabled creating
the memory cache files altogether. This can be useful in cases
there is a bug in the memory cache that needs working around.
2018-04-24 - firstname.lastname@example.org
- Updated sssd.spec:
The IPA provider depends on AD provider's PAC executable, hence
introducing the package dependency. (bsc#1021441, bsc#1062124)
2018-02-27 - email@example.com
- Remove package descriptions for the python 2 packages that are
no longer distributed:
- Correct python version dependency of tools package. (bsc#1082108)
2017-12-04 - firstname.lastname@example.org
- Correct dependency of sss_obfuscate command line program.
2017-12-01 - email@example.com
- In an ongoing effort to reduce dependency on python version 2,
the following python libraries are no longer built. Nevertheless
their python3 counterparts remain in place:
2017-10-23 - firstname.lastname@example.org
- Update to new upstream release 1.16.0
* This release fixes CVE-2017-12173: Unsanitized input when searching in
local cache database. SSSD stores its cached data in an LDAP like local
database file using libldb. To lookup cached data LDAP search filters
like (objectClass=user)(name=user_name) are used. However, in
sysdb_search_user_by_upn_res(), the input was not sanitized and
allowed to manipulate the search filter for cache lookups. This would
allow a logged in user to discover the password hash of a different user.
* SSSD now supports session recording configuration through tlog. This
feature enables recording of everything specific users see or type
during their sessions on a text terminal. For more information, see
the sssd-session-recording(5) manual page.
* SSSD can act as a client agent to deliver
Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
policies defined on an IPA server. Fleet Commander provides a
configuration management interface that is controlled centrally and
that covers desktop, applications and network configuration.
* Several new systemtap <https://sourceware.org/systemtap/> probes
were added into various locations in SSSD code to assist in
troubleshooting and analyzing performance related issues. Please see the
sssd-systemtap(5) manual page for more information.
* A new LDAP provide access control mechanism that allows to restrict
access based on PAM's rhost data field was added. For more details,
please consult the sssd-ldap(5) manual page, in particular the
options ldap_user_authorized_rhost and the rhost value of