Commit Graph

484 Commits

Author SHA1 Message Date
Stephen Gallagher
058cfb833c New upstream release 1.9.0 beta 3
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3
- Add a new PAC responder for dealing with cross-realm Kerberos trusts
- Terminate idle connections to the NSS and PAM responders
2012-06-25 13:15:35 -04:00
Stephen Gallagher
2cb25205a4 Switch unicode library from libunistring to Glib
- Drop unnecessary explicit Requires on keyutils
- Guarantee that versioned Requires include the correct architecture
2012-06-20 10:32:39 -04:00
Stephen Gallagher
f8c88041e5 Fix accidental disabling of the DIR cache support 2012-06-18 10:16:49 -04:00
Stephen Gallagher
666a39284d New upstream release 1.9.0 beta 2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2
- Add support for the Kerberos DIR cache for storing multiple TGTs
  automatically
- Major performance enhancement when storing large groups in the cache
- Major performance enhancement when performing initgroups() against Active
  Directory
- SSSDConfig data file default locations can now be set during configure for
  easier packaging
2012-06-15 15:43:49 -04:00
Stephen Gallagher
26151dabf9 Fix regression in endianness patch 2012-05-30 15:10:43 -04:00
Stephen Gallagher
12d78e10a6 Rebuild SSSD against ding-libs 0.3.0beta1
- Fix endianness bug in service map protocol
2012-05-29 11:23:46 -04:00
Stephen Gallagher
359d341a35 Fix several regressions since 1.5.x
- Ensure that the RPM creates the /var/lib/sss/mc directory
- Add support for Netscape password warning expiration control
- Rebuild against libldb 1.1.6
2012-05-24 08:23:25 -04:00
Stephen Gallagher
7fa00add1e New upstream release 1.9.0 beta 1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1
- Add native support for autofs to the IPA provider
- Support for ID-mapping when connecting to Active Directory
- Support for handling very large (> 1500 users) groups in Active Directory
- Support for sub-domains (will be used for dealing with trust relationships)
- Add a new fast in-memory cache to speed up lookups of cached data on
  repeated requests
2012-05-11 16:02:54 -04:00
Stephen Gallagher
05471b8b76 New upstream release 1.8.3
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3
- Numerous manpage and translation updates
- LDAP: Handle situations where the RootDSE isn't available anonymously
- LDAP: Fix regression for users using non-standard LDAP attributes for user
  information
2012-05-03 15:46:32 -04:00
Stephen Gallagher
77acf296a2 New upstream release 1.8.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2
- Several fixes to case-insensitive domain functions
- Fix for GSSAPI binds when the keytab contains unrelated principals
- Fixed several segfaults
- Workarounds added for LDAP servers with unreadable RootDSE
- SSH knownhostproxy will no longer enter an infinite loop preventing login
- The provided SYSV init script now starts SSSD earlier at startup and stops
  it later during shutdown
- Assorted minor fixes for issues discovered by static analysis tools
2012-04-09 15:06:43 -04:00
Stephen Gallagher
d023298922 Don't duplicate libsss_autofs.so in two packages
- Set explicit package contents instead of globbing
2012-03-26 09:35:25 -04:00
Stephen Gallagher
af80d0ea8a Fix uninitialized value bug causing crashes throughout the code
- Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup
2012-03-21 07:36:22 -04:00
Stephen Gallagher
8c71823719 New upstream release 1.8.1
- Resolve issue where we could enter an infinite loop trying to connect to an
  auth server
- Fix serious issue with complex (3+ levels) nested groups
- Fix netgroup support for case-insensitivity and aliases
- Fix serious issue with lookup bundling resulting in requests never
  completing
- IPA provider will now check the value of nsAccountLock during pam_acct_mgmt
  in addition to pam_authenticate
- Fix several regressions in the proxy provider
- Resolves: rhbz#743133 - Performance regression with Kerberos authentication
                          against AD
- Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work
2012-03-12 19:25:42 -04:00
Stephen Gallagher
41359781c6 New upstream release 1.8.0
- Support for the service map in NSS
- Support for setting default SELinux user context from FreeIPA
- Support for retrieving SSH user and host keys from LDAP (Experimental)
- Support for caching autofs LDAP requests (Experimental)
- Support for caching SUDO rules (Experimental)
- Include the IPA AutoFS provider
- Fixed several memory-corruption bugs
- Fixed a regression in group enumeration since 1.7.0
- Fixed a regression in the proxy provider
- Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD
- Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is
                          logged at each login
- Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process
                          /usr/sbin/sssd was killed by signal 11 (SIGSEGV)
- Resolves: rhbz#743133 - Performance regression with Kerberos authentication
                          against AD
- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
                          new LDAP features
- Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc
2012-02-28 15:23:22 -05:00
Stephen Gallagher
d474da7ce3 Change default kerberos credential cache location to /run/user/<username> 2012-02-22 09:11:05 -05:00
Stephen Gallagher
e16d49fc65 New upstream release 1.8.0 beta 3
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3
- Fixed a regression in group enumeration since 1.7.0
- Fixed several memory-corruption bugs
- Finalized the ABI for the autofs support
- Fixed a regression in the proxy provider
2012-02-15 16:11:31 -05:00
Stephen Gallagher
14c3c0777e Fix python Provides: filtering 2012-02-15 10:38:10 -05:00
Petr Písař
111a1d5cbe Rebuild against PCRE 8.30 2012-02-10 13:08:38 +01:00
Stephen Gallagher
01ac0e1a3e New upstream release
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2
- Fix two minor manpage bugs
- Include the IPA AutoFS provider
2012-02-07 09:57:04 -05:00
Stephen Gallagher
881479933b New upstream release
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
- Support for the service map in NSS
- Support for setting default SELinux user context from FreeIPA
- Support for retrieving SSH user and host keys from LDAP (Experimental)
- Support for caching autofs LDAP requests (Experimental)
- Support for caching SUDO rules (Experimental)
2012-02-06 20:08:04 -05:00
Stephen Gallagher
e8905f5363 Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
new LDAP features - fix netgroups and sudo as well
2012-02-04 20:20:10 -05:00
Stephen Gallagher
b6ef581001 Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider. 2012-02-02 14:23:16 -05:00
Stephen Gallagher
2381e855ec Fix typo in date and version 2012-02-01 14:27:24 -05:00
Stephen Gallagher
ae664ccc43 Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
new LDAP features
2012-02-01 14:24:12 -05:00
Dennis Gilmore
6ec779e9e4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild 2012-01-13 22:24:58 -06:00
Stephen Gallagher
a885ab8a9d New upstream release 1.7.0
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0
Support for case-insensitive domains
Support for multiple search bases in the LDAP provider
Support for the native FreeIPA netgroup implementation
Reliability improvements to the process monitor
New DEBUG facility with more consistent log levels
New tool to change debug log levels without restarting SSSD
SSSD will now disconnect from LDAP server when idle
FreeIPA HBAC rules can choose to ignore srchost options for significant
performance gains
Assorted performance improvements in the LDAP provider
2011-12-22 15:20:15 -05:00
Stephen Gallagher
f73d44d40a New upstream release 1.6.4
Rolls up previous patches applied to the 1.6.3 tarball
Fixes a rare issue causing crashes in the failover logic
Fixes an issue where SSSD would return the wrong PAM error code for users
that it does not recognize.
2011-12-19 16:13:43 -05:00
Stephen Gallagher
5633dc7e99 Rebuild against libldb 1.1.4 2011-12-07 07:47:53 -05:00
Stephen Gallagher
ece3519410 Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the
username in getpwnam()
Resolves: rhbz#758425 - LDAP failover not working if server refuses
connections
2011-11-29 14:20:31 -05:00
Jakub Hrozek
95fec2a877 Rebuild for libldb 1.1.3 2011-11-24 14:18:54 +01:00
Stephen Gallagher
50d0fe5c94 Resolves: rhbz#752495 - Crash when apply settings 2011-11-10 12:03:57 -05:00
Stephen Gallagher
dd4aa148dd Rebuild for new libldb 2011-11-09 09:02:44 -05:00
Stephen Gallagher
46a6ee6147 New upstream release 1.6.3
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3
Fixes a major cache performance issue introduced in 1.6.2
Fixes a potential infinite-loop with certain LDAP layouts
2011-11-04 12:29:04 -04:00
Dennis Gilmore
9ef1f397c1 - Rebuilt for glibc bug#747377 2011-10-26 19:24:26 -05:00
Stephen Gallagher
9a79ed0faa Change selinux policy requirement to Conflicts: with the old version,
rather than Requires: the supported version.
2011-10-23 13:48:09 -07:00
Stephen Gallagher
14552a85ab Add explicit requirement on selinux-policy version to address new SBUS symlinks. 2011-10-21 08:03:20 -07:00
Stephen Gallagher
359707a48b Remove %%files reference to sss_debuglevel copied from wrong upstreeam spec file. 2011-10-19 07:32:09 -04:00
Stephen Gallagher
75138e2284 Improved handling of users and groups with multi-valued name attributes
(aliases)
Performance enhancements
Initgroups on RFC2307bis/FreeIPA
HBAC rule processing
Improved process-hang detection and restarting
Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
Cleaned up the example configuration
New tool to change debug level on the fly
2011-10-18 17:24:31 -04:00
Stephen Gallagher
a6910c0007 New upstream release 1.6.1
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1
Fixes a serious issue with LDAP connections when the communication is
dropped (e.g. VPN disconnection, waking from sleep)
SSSD is now less strict when dealing with users/groups with multiple names
when a definitive primary name cannot be determined
The LDAP provider will no longer attempt to canonicalize by default when
using SASL. An option to re-enable this has been provided.
Fixes for non-standard LDAP attribute names (e.g. those used by Active
Directory)
Three HBAC regressions have been fixed.
Fix for an infinite loop in the deref code
2011-08-29 15:45:02 -04:00
Stephen Gallagher
04d8c969b5 Build with _hardened_build macro 2011-08-03 09:31:33 -04:00
Stephen Gallagher
679b5f7a1b New upstream release 1.6.0
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0
Add host access control support for LDAP (similar to pam_host_attr)
Finer-grained control on principals used with Kerberos (such as for FAST or
validation)
Added a new tool sss_cache to allow selective expiring of cached entries
Added support for LDAP DEREF and ASQ controls
Added access control features for Novell Directory Server
FreeIPA dynamic DNS update now checks first to see if an update is needed
Complete rewrite of the HBAC library
New libraries: libipa_hbac and libipa_hbac-python
2011-08-03 08:08:26 -04:00
Stephen Gallagher
ce222bafe5 New upstream release 1.5.11
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
Fix a serious regression that prevented SSSD from working with ldaps:// URIs
IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6
address being saved to the AAAA record
2011-07-05 15:03:55 -04:00
Stephen Gallagher
72bc2e1636 New upstream release 1.5.11
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
Fix a serious regression that prevented SSSD from working with ldaps:// URIs
IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6
address being saved to the AAAA record
2011-07-05 15:00:32 -04:00
Stephen Gallagher
807b79d3dd New upstream release 1.5.10
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10
Fixed a regression introduced in 1.5.9 that could result in blocking calls
to LDAP
2011-07-01 08:31:11 -04:00
Stephen Gallagher
4ef0c7f5e6 New upstream release 1.5.9
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9
Support for overriding home directory, shell and primary GID locally
Properly honor TTL values from SRV record lookups
Support non-POSIX groups in nested group chains (for RFC2307bis LDAP
servers)
Properly escape IPv6 addresses in the failover code
Do not crash if inotify fails (e.g. resource exhaustion)
Don't add multiple TGT renewal callbacks (too many log messages)
2011-06-30 14:57:29 -04:00
Stephen Gallagher
91fde1e873 New upstream release 1.5.8
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8
Support for the LDAP paging control
Support for multiple DNS servers for name resolution
Fixes for several group membership bugs
Fixes for rare crash bugs
2011-05-27 16:41:02 -04:00
Stephen Gallagher
5796dc7438 Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d
Make sure to properly convert to systemd if upgrading from newer
updates for Fedora 14
2011-05-23 14:51:01 -04:00
Stephen Gallagher
d4aff4665f Fix segfault in TGT renewal 2011-05-02 12:29:25 -04:00
Stephen Gallagher
e4bdfb2159 Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites
cached password with predicatable filename
2011-04-29 14:36:34 -04:00
Stephen Gallagher
eedc5ecda8 Re-add manpage translations 2011-04-20 16:27:19 -04:00
Stephen Gallagher
8ada5dc2d5 New upstream release 1.5.6
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6
Fixed a serious memory leak in the memberOf plugin
Fixed a regression with the negative cache that caused it to be essentially
nonfunctional
Fixed an issue where the user's full name would sometimes be removed from
the cache
Fixed an issue with password changes in the kerberos provider not working
with kpasswd
2011-04-20 15:26:05 -04:00
Stephen Gallagher
d9b22a78e6 Resolves: rhbz#697057 - kpasswd fails when using sssd and
kadmin server != kdc server
Upgrades from SysV should now maintain enabled/disabled status
2011-04-20 12:44:13 -04:00
Stephen Gallagher
d7effc61bd Fix %postun 2011-04-20 12:22:57 -04:00
Stephen Gallagher
d895a5f72c Fix systemd conversion. Upgrades from SysV to systemd weren't properly
enabling the systemd service.
Fix a serious memory leak in the memberOf plugin
Fix an issue where the user's full name would sometimes be removed
from the cache
2011-04-14 16:24:13 -04:00
Stephen Gallagher
7dcee20614 Install systemd unit file instead of sysv init script 2011-04-12 11:52:28 -04:00
Stephen Gallagher
c8fb340975 New upstream release 1.5.5
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5
Fixes for several crash bugs
LDAP group lookups will no longer abort if there is a zero-length member
attribute
Add automatic fallback to 'cn' if the 'gecos' attribute does not exist
2011-04-12 11:14:23 -04:00
Stephen Gallagher
3eed4c3557 Update to SSSD 1.5.4
Improve the way we detect the LDB plugin location

New upstream release 1.5.4
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
Fixes for Active Directory when not all users and groups have POSIX attributes
Fixes for handling users and groups that have name aliases (aliases are ignored)
Fix group memberships after initgroups in the IPA provider
2011-03-24 15:29:47 -04:00
Stephen Gallagher
f6c362454d Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication 2011-03-17 11:47:25 -04:00
Stephen Gallagher
53637a07d3 New upstream release 1.5.3
Support for libldb >= 1.0.0
2011-03-11 13:50:59 -05:00
Stephen Gallagher
3b364490a6 New upstream release 1.5.2
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2
Fixes for support of FreeIPA v2
Fixes for failover if DNS entries change
Improved sss_obfuscate tool with better interactive mode
Fix several crash bugs
Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this
Delete users from the local cache if initgroups calls return 'no such user'
(previously only worked for getpwnam/getpwuid)
Use new Transifex.net translations
Better support for automatic TGT renewal (now survives restart)
Netgroup fixes
2011-03-10 15:00:40 -05:00
Simo Sorce
b28cafe61b - Rebuild sssd against libldb 1.0.2 so the memberof module loads again.
- Related: rhbz#677425
2011-02-27 21:54:52 -05:00
Stephen Gallagher
7a33e7710b - Resolves: rhbz#677768 - name service caches names, so id command shows
-                         recently deleted users
2011-02-21 15:42:00 -05:00
Stephen Gallagher
da2a04f651 - Ensure that SSSD builds against libldb-1.0.0 on F15 and later
- Remove .la for memberOf
2011-02-11 11:41:33 -05:00
Stephen Gallagher
0ad47aae65 - Fix memberOf install path 2011-02-11 11:22:33 -05:00
Stephen Gallagher
e8ab291d89 - Add support for libldb 1.0.0 2011-02-11 09:36:41 -05:00
Dennis Gilmore
8923e26c46 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-09 10:00:19 -06:00
Stephen Gallagher
d12cd5dd26 - Fix nested group member filter sanitization for RFC2307bis
- Put translated tool manpages into the sssd-tools subpackage
2011-02-01 09:20:57 -05:00
Stephen Gallagher
749bf2d662 Bump release number 2011-01-27 14:40:33 -05:00
Stephen Gallagher
7e3a2cd879 - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during
- rpmbuild
2011-01-27 14:38:13 -05:00
Stephen Gallagher
f151b0669b - New upstream release 1.5.1
- Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
- Vast performance improvements when enumerate = true
- All PAM actions will now perform a forced initgroups lookup instead of just
- a user information lookup
-   This guarantees that all group information is available to other
-   providers, such as the simple provider.
- For backwards-compatibility, DNS lookups will also fall back to trying the
- SSSD domain name as a DNS discovery domain.
- Support for more password expiration policies in LDAP
-    389 Directory Server
-    FreeIPA
-    ActiveDirectory
- Support for ldap_tls_{cert,key,cipher_suite} config options
-Assorted bugfixes
2011-01-27 13:50:21 -05:00
Stephen Gallagher
3a15e92ce7 - CVE-2010-4341 - DoS in sssd PAM responder can prevent logins 2011-01-11 12:32:39 -05:00
Stephen Gallagher
5225c3262b - New upstream release 1.5.0
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
2010-12-22 14:08:33 -05:00
Stephen Gallagher
9600ada0fd Fix release number 2010-11-18 08:44:23 -05:00
Stephen Gallagher
069ad4076b - Solve a shutdown race-condition that sometimes left processes running
- Resolves: rhbz#606887 - SSSD stops on upgrade
2010-11-18 08:41:39 -05:00
Stephen Gallagher
4e1de07cd8 - Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
2010-11-16 12:48:57 -05:00
Stephen Gallagher
9d5bcde0eb - New upstream release 1.4.1
- Add support for netgroups to the proxy provider
- Fixes a minor bug with UIDs/GIDs >= 2^31
- Fixes a segfault in the kerberos provider
- Fixes a segfault in the NSS responder if a data provider crashes
- Correctly use sdap_netgroup_search_base
2010-11-01 09:02:47 -04:00
Stephen Gallagher
75efc48618 Fix incorrect tarball URL 2010-10-18 16:06:09 -04:00
Stephen Gallagher
d8a8ec9a9a Fix tarball URL 2010-10-18 16:04:39 -04:00
Stephen Gallagher
9b0ef1cecd - New upstream release 1.4.0
- Added support for netgroups to the LDAP provider
- Performance improvements made to group processing of RFC2307 LDAP servers
- Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin
- Build-system improvements to support Gentoo
- Split out several libraries into the ding-libs tarball
- Manpage reviewed and updated
2010-10-18 14:44:48 -04:00
Stephen Gallagher
2d631b340a - Fix pre and post script requirements 2010-10-04 09:47:22 -04:00
Stephen Gallagher
3f786445f0 - Resolves: rhbz#606887 - sssd stops on upgrade 2010-10-04 09:23:20 -04:00
Stephen Gallagher
8cdc9d4fbc - Resolves: rhbz#626205 - Unable to unlock screen 2010-10-04 09:14:17 -04:00
Stephen Gallagher
c99e02ae14 Bump release number and fix changelog message 2010-09-28 07:55:09 -04:00
Stephen Gallagher
d19c240979 - Resolves: 637955 - libini_config-devel needs libcollection-devel but
-                    doesn't require it
2010-09-28 07:49:22 -04:00
Stephen Gallagher
6931ca88fa - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib 2010-09-16 09:34:47 -04:00
Stephen Gallagher
cfa7be9344 - Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib 2010-09-16 09:32:53 -04:00
Stephen Gallagher
8c665d0af5 Resolves: CVE-2010-2940 2010-08-24 12:10:04 -04:00
dmalcolm
eb2fc3c856 - Rebuilt for
https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
2010-07-22 06:37:10 +00:00
Stephen Gallagher
bd215c451c - New upstream version 1.2.91 (1.3.0rc1)
- Improved LDAP failover
- Synchronous sysdb API (provides performance enhancements)
- Better online reconnection detection
2010-07-09 18:52:22 +00:00
Stephen Gallagher
d41b28e7ec - New stable upstream version 1.2.1
- Resolves: rhbz#595529 - spec file should eschew %define in favor of
- %global
- Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd
    service
- to fail while restart.
- Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel
- keyring
- Resolves: rhbz#599724 - sssd is broken on Rawhide
2010-06-21 11:37:06 +00:00
Stephen Gallagher
d5f2e4a868 - New stable upstream version 1.2.0
- Support ServiceGroups for FreeIPA v2 HBAC rules
- Fix long-standing issue with auth_provider = proxy
- Better logging for TLS issues in LDAP
2010-05-24 19:19:33 +00:00
Stephen Gallagher
439d34ed5c - New LDAP access provider allows for filtering user access by LDAP
attribute
- Reduced default timeout for detecting offline status with LDAP
- GSSAPI ticket lifetime made configurable
- Better offline->online transition support in Kerberos
2010-05-18 18:02:30 +00:00
Stephen Gallagher
6a6c9eb9a8 - Release new upstream version 1.1.91
- Enhancements when using SSSD with FreeIPA v2
- Support for deferred kinit
- Support for DNS SRV records for failover
2010-05-07 21:36:48 +00:00
Simo Sorce
e5b19bf276 - Bump up release number to avoid library sub-packages version issues with
previous releases.
2010-04-02 15:48:31 +00:00
Stephen Gallagher
db77daa344 - New upstream release 1.1.1
- Fixed the IPA provider (which was segfaulting at start)
- Fixed a bug in the SSSDConfig API causing some options to revert to
- their defaults
- This impacted the Authconfig UI
- Ensure that SASL binds to LDAP auto-retry when interrupted by a signal
2010-04-01 15:19:19 +00:00
Stephen Gallagher
58c745dac6 - Release SSSD 1.1.0 final
- Fix two potential segfaults
- Fix memory leak in monitor
- Better error message for unusable confdb
2010-03-22 19:54:48 +00:00
Stephen Gallagher
026e8e0f23 - Release candidate for SSSD 1.1
- Add simple access provider
- Create subpackages for libcollection, libini_config, libdhash and
    librefarray
- Support IPv6
- Support LDAP referrals
- Fix cache issues
- Better feedback from PAM when offline
2010-03-17 16:53:01 +00:00
Stephen Gallagher
7362f8c6bd - Rebuild against new libtevent 2010-02-24 20:44:32 +00:00
Stephen Gallagher
94dadd289a - Fix licenses in sources and on RPMs 2010-02-19 15:39:59 +00:00
Stephen Gallagher
48e4ae867d - Fix regression on 64-bit platforms 2010-01-25 18:52:14 +00:00
Stephen Gallagher
2600cc3d21 - Fixes link error on platforms that do not do implicit linking
- Fixes double-free segfault in PAM
- Fixes double-free error in async resolver
- Fixes support for TCP-based DNS lookups in async resolver
- Fixes memory alignment issues on ARM processors
- Manpage fixes
2010-01-22 15:15:20 +00:00
Stephen Gallagher
23f12b722f - Fixes a bug in the failover code that prevented the SSSD from detecting
when it went back online
- Fixes a bug causing long (sometimes multiple-minute) waits for NSS
    requests
- Several segfault bugfixes
2010-01-14 17:03:05 +00:00
Stephen Gallagher
2de26e9e6f Updating to SSSD 1.0.1
Fixes: CVE-2010-0014
2010-01-11 14:23:23 +00:00
Stephen Gallagher
d9fd9eee1e Fix https://bugzilla.redhat.com/show_bug.cgi?id=549482 2009-12-21 20:39:34 +00:00
Stephen Gallagher
f5d8b9bca4 == Highlights ==
One serious security issue was resolved related to the kerberos provider.
Users who authenticate against Kerberos and have cached credentials could
    log in with a zero-length password
The network exposure of this bug was limited, as users logged in this way
    would not have valid network credentials (by lucky accident).
This issue was present only in the 0.99.x preview releases and not in any
    of the stable releases (0.7.1 and earlier)
Stability fixes since the 0.99.1 preview release
Added or updated several translations
Fixed long-standing "I have no name!" issue with X-based terminals
SSSD now passes "make distcheck" cleanly
SSSD PAM now conforms better to standards regarding PAM_PRELIM_CHECK
== Detailed Changelog == Göran Uddeborg (2):
Update SV translation
Update SV translation
Marina Latini (1):
Update IT translation
Martin Nagy (2):
Don't consider one address with different port numbers as the same
Change the first server pick logic
Sergei V. Kovylov (1):
sssd.spec for SLES
Simo Sorce (2):
Fix upgrade bug #323
Fix ldap child memory hierarchy and other issues
Stephen Gallagher (14):
Properly close STDERR when daemonizing
Fix tight loop in monitor
Don't set explicit default for "timeout" in domains
Fix warning in server.c
Raise DEBUG level of sdap_get_generic_done()
Change default for enumeration to TRUE
Fix tight-loop in monitor part 2
Properly handle EINTR from poll()
Updating ES translation
Add DEBUG messages to getpwnam_callback and getpwuid_callback
Clarify access_provider manpage entry
Do not blindly accept zero-length passwords
Fix broken password changes for local users
Release SSSD 1.0
Sumit Bose (9):
Use sys.exit instead of exit
Check for minimal version of check
Build python modules in builddir
Use --with-ldb-lib-dir while running make distcheck
Cleanup db files after test run
disable password migration code
Handle chauthtok with PAM_PRELIM_CHECK separately
Do not overwrite valid TGTs when offline
Fix for #345
2009-12-18 23:53:16 +00:00
Stephen Gallagher
336aac3e2c David O'Brien (1):
Copy-edit sssd-ipa man page
Dmitri Pal (5):
COMMON Improvements to the trace macro
COLLECTION Create reference to the top level collection
Cleaning FIXME comments
Cleaning FIXME comments.
INI Correcting build warnings.
Fabian Affolter (1):
Add German translation
Göran Uddeborg (2):
Add Swedish translation for sss_client
Add Swedish translation for SSSD server
Jakub Hrozek (13):
Warn visibly about permission problems with the config file
Better error message when there is no local domain configured
Setup ldap child logging from IPA backend
Check the services started against a list of known services
Handle spaces in config parser
Fail on nonexistent input file
Do not start with provider=files
Reduce code duplication between LDAP child and Kerberos child
Change ares usage to be c-ares 1.7.0 compatible
Import ares 1.7.0 helpers
Don't build the SRV and TXT parsing code except for tests
Document the failover feature in manpages
Consolidate code for splitting strings by separator
Martin Nagy (3):
Fix egg-info file generation in the spec file
Add some debugging statements to fail_over and resolver
Correctly restart server status after the timeout
Simo Sorce (17):
Fix tabs
Fix memberof plugin
Compute and save memberuid in cache as well
Use memberuid and not member in group enumerations
Use the custom password field in groups too.
Resolve nested groups also when rfc2307bis is used
Make strdn build functions more available
Fix nested group memberships
Allow nesting to fix #310
Fix bug #311, properly set callback attribute
Change dhash API to be talloc-friendly
Add private pointer for delete callback
Add comments to document latest changes
Add rebuild task to memberof plugin
Handle the special 02 upgrade case for 04->05
Fix for #316
Fix for #322, update from old database versions.
Stephen Gallagher (28):
Remove ELAPI from build and tarball
Stop configuring ELAPI
Make debug log timestamps human-readable
Raise debug log level for LDB_DEBUG_WARNING
Add allocation error check
Avoid returning uninitialized result.
Fix potential uninitialized value errors in nsssrv_cmd.c
Fix potential uninitialized value error in responder_dp.c
SSSDDomain.remove_provider() requires only the provider type
Make SSSDDomain.remove_provider() remove configured options
Run dhash tests
Add SSSDDomain.set_name() function to SSSDConfig API
Reduce the verbosity of the SSSDConfigTest
Fix broken SSSDChangeConf.set() function
Fix SSSDConfig API bugs around [de-]activation of domains
Fix RPM spec for RHEL6
fix deactivate_domain()
SSSDConfig.get_domain() should properly detect active state
Ensure that list_active_domains returns the real value
Properly deny id_provider=files
Add missing options to sssd-ipa configuraion
Add missing SSSDConfig file for IPA for make install
Fix processing of Boolean values in SSSDConfig
Add 'permit' and 'deny' access providers to SSSDConfig API
Remove default for ldap_use_start_tls in IPA providers
Run SSSDConfig tests during 'make check'
Fix stupid copy-paste error
Updating to version 0.99.1
Sumit Bose (13):
Do not include libsss_ipa.la in rpm package
Immediately return a krb5 change password request when offline
Check LDAP structure before calling ldap_unbind_ext()
Add sysdb_search_custom request
Do not treat missing proc files as errors.
Add basic OS detection
Make packaging of *.egg-info files more flexible
Try to renew Kerberos credentials
Add checks to test the memberuid handling
Add offline support for ipa_access
Add dummy credentials to an empty ccache file
Always update sysdb to the latest version
Fix DEBUG message for sysdb_init
beckerde (1):
Add Spanish translation
ruigo (1):
Add Portuguese translation
2009-12-11 14:16:51 +00:00
Stephen Gallagher
ad368b8c32 == Highlights ==
Enhanced IPA provider with host-based access control support
Added server failover feature
Vast performance enhancements to enumerations
Performance enhancements to offline user lookups
Improvements to the SSSDConfig API and configuration upgrade scripts. They
    will now retain comments and ordering.
Several new translations
== Known Bugs ==
Nested groups are known to be broken in 0.99. A fix is basically ready, but
    was too late for inclusion in this release. This will be fixed before
    the 1.0 release.
== Detailed changes since 0.7.1 == Bouska (1):
Add French translation to sss_client
Jakub Hrozek (17):
Fix migration script for pre-0.5 local domains
Do not migrate Data Provider
Free the PCRE regexp with destructor
Do not delete users, groups outside domain range
Add missing include
IPA time rules parsing routines
Fix regression in error message when deleting groups
Assorted manpage fixes
Make the password field configurable in NSS
Add Simo's ipachangeconf
SSSDChangeConf - a wrapper around ipachangeconf
Change the upgrade script to use ipachangeconf
Convert SSSDConfig API to ipachangeconf
SSSDConfigAPI fixes
upgrade_config fixes for SSSD 0.6 and later
Split helpers for child processes
Get TGT in a child process.
Martin Nagy (5):
Add missing include file to files-tests.c
Fix a bad free in async_resolv.c
Add DLIST_FOR_EACH() macro
Add simple reference counting wrappers for talloc
Add fail over utility functions
Piotr Drąg (1):
Updating polish translation for 0.7.0
Simo Sorce (48):
Copy option overrides.
Read the right buffer, avoids potential segfaults
Add IPA conf template
Zero pointers on free
Use standard coding practice to set last login
Fix segfault
Add proper support for IPA/AD schemas
Move responsibility for entry expiration timeout
Kill the ldap connection when we go offline
Tidy up ipa options
Add support to get rootDSE from the LDAP server.
Fix segfault when SASL is not used at all
Rename sdap_id_map to sdap_attr_map
Make available method to quickly retrive string
Make useful function more broadly available.
Store the original memberof attributes if any
Unify parse routines, use maps in generic searches
Fix and enhance initgroups call
Unify code to use the generic search interface
Reorganize ldap id provider files
Split async helpers in multiple files
Always set last update and expire time
Fix build
Fix ldap driver
Check return, zero free hostent, adhere to style
Fix enumerations
Fix tevent_req error checking.
Refactor delete functions and add a few
Add cleanup task
Try to fix offline logins
Fix double free case.
Fix check_cache bug in dealing with the callback
Change var name to make its use more clear.
Fix crash due to uninitialized timeout variable
Change initgroups code to use and check the cache
Change the pam code to perform an initgroups call
Store initgr expire time on initgr call
Failover fixes and additions
Better behavior on cleanup
Correctly escape DN value.
Add reference to sssd-krb5 man page.
Optimize sysdb_enumgrent
Filter by id range before actually storing entries.
Raise some timeouts
Add initial failover support for ldap and ipa
Fix ticket #289
Fix internal options numbers test
In IPA, the realm is always the domain uppercased.
Stephen Gallagher (32):
Remove DP from example configuration
Remove [dp] section from example config
Fix sssd.api.conf with correct entry_cache_timeout
Clean up warnings in dhash tests
Make config_file_version a hidden setting in SSSDConfig API
Remove magic_private_groups from SSSDConfig API schema
Add support for option descriptions to SSSDConfig API
Localize SSSDConfig strings
Add complete pydoc for SSSDConfig API
cyrus-sasl-gssapi
Simplify debug_fn()
Add configure check for sasl.h
Update midpoint refresh logic to be relative to cache timeout
Increase the sbus dispatch DEBUG level to 9
Build files.c only for tools
Clean up unused dependencies
Update sssd.spec to use only the required KRB5_LIBS and NSS_LIBS
Fix segfault on unknown user/domain
sssd-client line in specfile
Make the sysdb user and group names case-sensitive
Upgrade cache and local databases to case-sensitive names
Update translatable strings
Fix sysdb upgrade bug
Add empty NL translation
Only display errors in unit tests
Update PL translation
Update NL translation
Make backend request type a bitfield
Speed up user requests while offline
Update translation strings for string freeze
Fix bug with bad ldb pkg-config files
Update version to 0.99.0
Sumit Bose (32):
store original DN with cached group objects if available
added a ASQ search API for sysdb
Allow sysdb_search_entry request to return more than one result
Add AM_CFLAGS to unit tests
Fix compiler warnings in krb5_utils-tests.
remove old sysdb file before starting tests
set ipa_hostname if not given in config file
Make debug message less irritating.
add sysdb_delete_recursive request to sysdb API
Add sysdb_attrs_replace_name to sysdb API.
Fix for a seg fault during recursive delete
add replacements for missing Kerberos calls
Check is ccache structure is initialized before calling krb5_cc_destroy
added access module of IPA provider
Simplify krb5 child handler
Add check for access-time rules to ipa_access.
Add support for host, source host and user category
Fix inconsistent use of krb5_ccname_template
Fixes for proxy provider
Make 'permit' the default for the access target
Fix option name krb5_changepw_principal
Validate Kerberos credentials with local keytab
Improve handling of ccache files
Add ipa_auth
Enhance check for remote hosts
Add ldap_pwd_policy option
Read KDC info from file instead from environment
Really check return value from pam_set_item
Use ldb modules from build root for tests
Make ldb lib dir configurable
Fix an internal error when cache_credentials=FALSE
Remove unneeded debugging code
deneb (1):
Add Italian translation for sss_client
noriko (1):
Adding Japanese translation
raven (1):
Update PL translation
2009-11-30 15:39:15 +00:00
Stephen Gallagher
9b52793f52 New upstream release
Fix segfaults and upgrade issues. Provide newer default configuration.
2009-10-27 19:29:01 +00:00
Stephen Gallagher
04c1b5452b Fix upgrade issues from old (pre-0.5.0) releases of SSSD
Configuration files before 0.5.0 did not enforce provider= in local domains
    it did special-case by domain name (LOCAL). Our script was relying on
    provider= value, this patch adds the special-casing in case the domain
    was called LOCAL.
2009-10-26 13:08:58 +00:00
Stephen Gallagher
d6e2c70de2 Dmitri Pal (10):
COLLECTION Adding item comparison and sorting
COLLECTION Realigning collection code
COLLECTION Making iterations pinnable
COLLECTION Enhancing hashing and iteration functions
ELAPI Event resolver
ELAPI Resolving message attribute
ELAPI Fixing warnings in the example
ELAPI Rename variables and functions not to use word template
ELAPI Fixed the host name resolution
ELAPI Compatibility code for getifaddr()
Jakub Hrozek (3):
Fix python sync operations and mem hierarchy
Fix error messages in tools
User home directories management
Martin Nagy (7):
Use correct talloc context in sss_names_init()
Fix potential memory leaks in the data provider
Use talloc_get_type() for type safety
Use talloc to copy data from c-ares
Add a new set of helpful common functions for tests
Various improvements to the resolv test suite
Delete sssd-i18n.h and put it's old contents into util.h
Piotr Dr?g (1):
Update polish translation for 0.6.0
Ralf Haferkamp (2):
LDAP provider needs to link against krb libraries
SUSE specific init script
Simo Sorce (21):
Tighten up permission.
Initial implementation of sasl bind support
Fix tools sync operations and mem hierarchy
Fix long timeout on ldap operation
Make dp requests more robust
Differentiate between search and network timeouts
Remove DP process
Start responders predictably after providers
Remove magicPrivateGroups option
Fix services startup when only LOCAL is configured
Make options parser available to all providers
Move ldap provider configuration into its own file
Fix offline authentication
Return the dp error from the providers
Move all ldap provider init functions
Move all krb5 provider init functions
Add first basic IPA provider
Always list inputs before outputs
Start implementing ipa specific options.
Better offline/enumeration behavior
Fix setting the schema in the ipa provider
Stephen Gallagher (24):
Update version to 0.6.0
Fix infinite loop with empty group enumeration
Updating release script to use the VERSION file
Change requirement on libldb to libldb >= 0.9.3
INI Add config_from_fd() to ini_config
Remove unused btreemap code
Add new SSSDConfig python API
Add plugin configuration schema for proxy provider
Package SSSDConfig API
Clean up warnings in pysss.c
Remove warnings caused by 5e2301b8a75d10e5cbbe11e26e5192b894af6ad7
Remove two unused functions.
Fix segfault when using SSS tools with no local provider
Do not allow setting auth, access or chpass providers for LOCAL
Add krb5_common.h to the list of headers to 'make dist'
Use Python 3-compatible sitearch and sitelib
Better detect installed language files
Clean up rpmlint errors and warnings in sssd-client package
Set the Default-Stop LSB option for the SSSD sysv init script
Fix RPM builds on older versions of rpmbuild
Bring SSSDConfig API options up-to-date
Add pam_ctx (similar to nss_ctx) for storing global PAM config
Add support for offline auth cache timeout
Update version to 0.7.0
Sumit Bose (28):
update sysdb tests to new config file version
add utility call check_and_open_readonly
more documentation and test for sssd.conf
handle expired password during authentication
move password handling into subroutines
ask for new password if password is expired
remove redundant talloc_free
add description of chpass_provider option to sssd.conf man page
add support for server side LDAP password policies
add syslog message similar to pam_unix
use the correct kerberos context for each target
fix a wrong argument to unpack_buffer
add -Werror-implicit-function-declaration to default gcc flags
add a replacement if ldap_control_create is missing
use PYTHON_PREFIX to install SSSDConfig python API
add missing %defattr to the filelist of the client package
make sdap_id_connect_* independent of sdap_id_ctx
send a message if a backend target is not configured
use old password if available during password change
set chpass_provider implicit if not set explicit
more implicit provider target settings
enable debugging of krb5_child
Check for expired passwords in LDAP provider
added generic LDAP search sdap_get_generic_send/_recv
add store/search/delete interface for custom sysdb objects
update krb5 option handling to new option scheme
update ipa auth options to new option scheme
fix a compiler warning about redefinition of DEBUG
2009-10-23 19:52:18 +00:00
Stephen Gallagher
fba27f0642 Fix missing file permissions for sssd-clients 2009-10-15 13:26:44 +00:00
Stephen Gallagher
a0cdb7e0dc - Add SSSDConfig API
- Update polish translation for 0.6.0
- Fix long timeout on ldap operation
- Make dp requests more robust
2009-10-13 20:25:50 +00:00
Stephen Gallagher
fbbcc44a29 Bump release number 2009-09-29 12:42:59 +00:00
Stephen Gallagher
4067ebb41f Add missing changelog updates 2009-09-29 12:41:09 +00:00
Stephen Gallagher
4c45356ecc Add two patches
1) Ensure that the configuration upgrade script always writes the config
    file with 0600 permissions
2) Eliminate an infinite loop in group enumerations
2009-09-29 12:19:20 +00:00
sbose
7a716e3c15 New upstream release 0.6.0 2009-09-28 08:51:24 +00:00
Simo Sorce
8b935a1efc - New upstream release 0.5.0 2009-08-24 18:56:24 +00:00
Jakub Hrozek
2cae3a8b19 Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
without a password. (Patch by Stephen Gallagher)
2009-07-29 11:21:47 +00:00
Jesse Keating
56d52b468a - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild 2009-07-27 04:48:02 +00:00
Simo Sorce
7522c31552 - Fix a couple of segfaults that may happen on reload 2009-06-22 14:49:00 +00:00
Simo Sorce
d0eb246884 - add missing configure check that broke stopping the daemon
- also fix default config to add a missing required option
2009-06-11 14:13:16 +00:00
Simo Sorce
298ea67a65 - latest upstream release.
- also add a patch that fixes debugging output (potential segfault)
2009-06-08 16:22:13 +00:00
Simo Sorce
e034caf325 - release out of the official 0.3.2 tarball 2009-04-20 19:59:37 +00:00
Jakub Hrozek
6f3fcee1b7 Update to 0.3.2 2009-04-20 18:17:19 +00:00
Simo Sorce
cb09420cd2 add patch 0002 too 2009-04-14 21:53:40 +00:00
Simo Sorce
d4c7182341 - Add last minute bug fixes, found in testing the package 2009-04-14 21:24:36 +00:00
Simo Sorce
9797cfd950 - Version 0.3.1
- includes previous release patches
2009-04-13 22:37:11 +00:00
Simo Sorce
abd724acaf - Try to fix build adding automake as an explicit BuildRequire
- Add also a couple of last minute patches from upstream
2009-04-13 17:48:03 +00:00
Simo Sorce
740369efcf Some more build requires 2009-04-13 17:11:39 +00:00
Simo Sorce
9afc8fce0b - Try to fix build adding automake as an explicit BuildRequire 2009-04-13 16:04:16 +00:00
Simo Sorce
276bbb1dfb - Version 0.3.0
- Provides file based configuration and lots of improvements
2009-04-13 15:49:54 +00:00
Simo Sorce
a85a9618e4 - Version 0.2.1 2009-03-10 21:34:16 +00:00
Simo Sorce
4f143048ca - Version 0.2.0 2009-03-10 20:43:08 +00:00
Jakub Hrozek
abb369a4fb Initial import of sssd into Fedora 2009-03-09 17:07:25 +00:00