https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14
Improved handling of users and groups with multi-valued name attributes
(aliases)
Performance enhancements
* Initgroups on RFC2307bis/FreeIPA
* HBAC rule processing
Improved process-hang detection and restarting
Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries)
Cleaned up the example configuration
Conflicts:
sssd.spec
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13
Fixes a serious issue with LDAP connections when the communication is
dropped (e.g. VPN disconnection, waking from sleep)
SSSD is now less strict when dealing with users/groups with multiple names
when a definitive primary name cannot be determined
The LDAP provider will no longer attempt to canonicalize by default when
using SASL. An option to re-enable this has been provided
Fixes for non-standard LDAP attribute names (e.g. those used by Active
Directory)
Three HBAC regressions have been fixed
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.12
Fixes a regression introduced in 1.5.11 with hostname resolution
Fixes an issue where sssd_pam would leak file descriptors until resource
exhaustion
Complete rewrite of the FreeIPA Host-Based Access Control (HBAC) resolver
New shared library for HBAC access-control
Fixes for password expiration handling with LDAP auth
New option to veto certain centrally-managed shells (Patch by John Hodrien)
Conflicts:
sssd.spec
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
Fix a serious regression that prevented SSSD from working with ldaps:// URIs
IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6
address being saved to the AAAA record
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9
Support for overriding home directory, shell and primary GID locally
Properly honor TTL values from SRV record lookups
Support non-POSIX groups in nested group chains (for RFC2307bis LDAP servers)
Properly escape IPv6 addresses in the failover code
Do not crash if inotify fails (e.g. resource exhaustion)
Don't add multiple TGT renewal callbacks (too many log messages)
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6
Fixed a serious memory leak in the memberOf plugin
Fixed a regression with the negative cache that caused it to be essentially
nonfunctional
Fixed an issue where the user's full name would sometimes be removed from
the cache
Fixed an issue with password changes in the kerberos provider not working
with kpasswd
Resolves: rhbz#697057 - kpasswd fails when using sssd and
kadmin server != kdc server
Fix a serious memory leak in the memberOf plugin
Fix an issue where the user's full name would sometimes be removed
from the cache
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5
Fixes for several crash bugs
LDAP group lookups will no longer abort if there is a zero-length member
attribute
Add automatic fallback to 'cn' if the 'gecos' attribute does not exist
Improve the way we detect the LDB plugin location
New upstream release 1.5.4
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
Fixes for Active Directory when not all users and groups have POSIX attributes
Fixes for handling users and groups that have name aliases (aliases are ignored)
Fix group memberships after initgroups in the IPA provider
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2
Fixes for support of FreeIPA v2
Fixes for failover if DNS entries change
Improved sss_obfuscate tool with better interactive mode
Fix several crash bugs
Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this
Delete users from the local cache if initgroups calls return 'no such user'
(previously only worked for getpwnam/getpwuid)
Use new Transifex.net translations
Better support for automatic TGT renewal (now survives restart)
Netgroup fixes
- Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
- Vast performance improvements when enumerate = true
- All PAM actions will now perform a forced initgroups lookup instead of just
- a user information lookup
- This guarantees that all group information is available to other
- providers, such as the simple provider.
- For backwards-compatibility, DNS lookups will also fall back to trying the
- SSSD domain name as a DNS discovery domain.
- Support for more password expiration policies in LDAP
- 389 Directory Server
- FreeIPA
- ActiveDirectory
- Support for ldap_tls_{cert,key,cipher_suite} config options
-Assorted bugfixes
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
- Add support for netgroups to the proxy provider
- Fixes a minor bug with UIDs/GIDs >= 2^31
- Fixes a segfault in the kerberos provider
- Fixes a segfault in the NSS responder if a data provider crashes
- Correctly use sdap_netgroup_search_base
Stephen Gallagher
Simo Sorce
Dennis Gilmore