New upstream release 1.5.14

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14
Improved handling of users and groups with multi-valued name attributes
(aliases)
Performance enhancements
* Initgroups on RFC2307bis/FreeIPA
* HBAC rule processing
Improved process-hang detection and restarting
Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries)
Cleaned up the example configuration

Conflicts:

	sssd.spec

.gitignore

@@ -7,3 +7,14 @@ sssd-1.2.91.tar.gz
 /sssd-1.5.2.tar.gz
 /sssd-1.5.3.tar.gz
 /sssd-1.5.4.tar.gz
+/sssd-1.5.5.tar.gz
+/sssd-1.5.6.tar.gz
+/sssd-1.5.6.1.tar.gz
+/sssd-1.5.7.tar.gz
+/sssd-1.5.8.tar.gz
+/sssd-1.5.9.tar.gz
+/sssd-1.5.10.tar.gz
+/sssd-1.5.11.tar.gz
+/sssd-1.5.12.tar.gz
+/sssd-1.5.13.tar.gz
+/sssd-1.5.14.tar.gz

sources

@@ -1 +1 @@
-d1459f6e0d0a5246374f08e6ab24c7de  sssd-1.5.4.tar.gz
+4a00b154c90e40379275d20247b97ce5  sssd-1.5.14.tar.gz

sssd.spec

@@ -5,10 +5,10 @@
 
 # Determine the location of the LDB modules directory
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
-%global ldb_version 1.0.2
+%global ldb_version 0.9.10
 
 Name: sssd
-Version: 1.5.4
+Version: 1.5.14
 Release: 1%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
@@ -24,8 +24,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires: libldb = %{ldb_version}
 Requires: libtdb >= 1.1.3
 Requires: sssd-client = %{version}-%{release}
+Requires: libipa_hbac = %{version}-%{release}
 Requires: cyrus-sasl-gssapi
-Requires: krb5-libs >= 1.9
 Requires(post): initscripts chkconfig /sbin/ldconfig
 Requires(preun):  initscripts chkconfig
 Requires(postun): initscripts chkconfig /sbin/ldconfig
@@ -66,7 +66,7 @@ BuildRequires: pcre-devel
 BuildRequires: libxslt
 BuildRequires: libxml2
 BuildRequires: docbook-style-xsl
-BuildRequires: krb5-devel >= 1.9
+BuildRequires: krb5-devel
 BuildRequires: c-ares-devel
 BuildRequires: python-devel
 BuildRequires: check-devel
@@ -78,6 +78,9 @@ BuildRequires: keyutils-libs-devel
 BuildRequires: libnl-devel
 BuildRequires: nscd
 BuildRequires: gettext-devel
+BuildRequires: pkgconfig
+BuildRequires: libunistring-devel
+BuildRequires: findutils
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -108,6 +111,34 @@ SSSD when using id_provider = local in /etc/sssd/sssd.conf.
 Also provides a userspace tool for generating an obfuscated LDAP password for
 use with ldap_default_authtok_type = obfuscated_password.
 
+%package -n libipa_hbac
+Summary: FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n libipa_hbac
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
+%package -n libipa_hbac-devel
+Summary: FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+
+%description -n libipa_hbac-devel
+Utility library to validate FreeIPA HBAC rules for authorization requests
+
+%package -n libipa_hbac-python
+Summary: Python bindings for the FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+
+%description -n libipa_hbac-python
+The libipa_hbac-python contains the bindings so that libipa_hbac can be
+used by Python applications.
+
+
 %prep
 %setup -q
 
@@ -118,13 +149,14 @@ autoreconf -ivf
     --with-pipe-path=%{pipepath} \
     --with-pubconf-path=%{pubconfpath} \
     --with-init-dir=%{_initrddir} \
+    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
     --enable-nsslibdir=/%{_lib} \
     --enable-pammoddir=/%{_lib}/security \
     --disable-static \
     --disable-rpath \
     --with-test-dir=/dev/shm
 
-make %{?_smp_mflags}
+make %{?_smp_mflags} all docs
 
 %check
 export CK_TIMEOUT_MULTIPLIER=10
@@ -154,17 +186,11 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d
 install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd
 
 # Remove .la files created by libtool
-rm -f \
-    $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \
-    $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \
-    $RPM_BUILD_ROOT/%{ldb_modulesdir}/memberof.la \
-    $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \
-    $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \
-    $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \
-    $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \
-    $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_simple.la \
-    $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \
-    $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la
+find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
+
+# Suppress developer-only documentation
+rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}/doc
+
 
 # Older versions of rpmbuild can only handle one -f option
 # So we need to append to the sssd.lang file
@@ -199,6 +225,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/%{name}/
 %{ldb_modulesdir}/memberof.so
 %dir %{sssdstatedir}
+%dir %{_localstatedir}/cache/krb5rcache
 %attr(700,root,root) %dir %{dbpath}
 %attr(755,root,root) %dir %{pipepath}
 %attr(755,root,root) %dir %{pubconfpath}
@@ -249,6 +276,22 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sss_usermod.8*
 %{_mandir}/man8/sss_obfuscate.8*
 
+%files -n libipa_hbac
+%defattr(-,root,root,-)
+%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
+%{_libdir}/libipa_hbac.so.*
+
+%files -n libipa_hbac-devel
+%defattr(-,root,root,-)
+%doc hbac_doc/html
+%{_includedir}/ipa_hbac.h
+%{_libdir}/libipa_hbac.so
+%{_libdir}/pkgconfig/ipa_hbac.pc
+
+%files -n libipa_hbac-python
+%defattr(-,root,root,-)
+%{python_sitearch}/pyhbac.so
+
 %post
 /sbin/ldconfig
 /sbin/chkconfig --add %{servicename}
@@ -269,7 +312,110 @@ fi
 
 %postun client -p /sbin/ldconfig
 
+%post -n libipa_hbac -p /sbin/ldconfig
+
+%postun -n libipa_hbac -p /sbin/ldconfig
+
 %changelog
+* Wed Oct 19 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.14-1
+- New upstream release 1.5.14
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14
+- Improved handling of users and groups with multi-valued name attributes
+  (aliases)
+- Performance enhancements
+  * Initgroups on RFC2307bis/FreeIPA
+  * HBAC rule processing
+- Improved process-hang detection and restarting
+- Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries)
+- Cleaned up the example configuration
+
+* Mon Aug 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.13-1
+- New upstream release 1.5.13
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13
+- Fixes a serious issue with LDAP connections when the communication is
+  dropped (e.g. VPN disconnection, waking from sleep)
+- SSSD is now less strict when dealing with users/groups with multiple names
+  when a definitive primary name cannot be determined
+- The LDAP provider will no longer attempt to canonicalize by default when
+  using SASL. An option to re-enable this has been provided
+- Fixes for non-standard LDAP attribute names (e.g. those used by Active
+  Directory)
+- Three HBAC regressions have been fixed
+
+* Fri Aug 05 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.12-1
+- New upstream release 1.5.12
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.12
+- Fixes a regression introduced in 1.5.11 with hostname resolution
+- Fixes an issue where sssd_pam would leak file descriptors until resource
+  exhaustion
+- Complete rewrite of the FreeIPA Host-Based Access Control (HBAC) resolver
+- New shared library for HBAC access-control
+- Fixes for password expiration handling with LDAP auth
+- New option to veto certain centrally-managed shells (Patch by John Hodrien)
+
+* Tue Jul 05 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.11-2
+- New upstream release 1.5.11
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
+- Fix a serious regression that prevented SSSD from working with ldaps:// URIs
+- IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6
+- address being saved to the AAAA record
+
+* Fri Jul 01 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.10-1
+- New upstream release 1.5.10
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10
+- Fixed a regression introduced in 1.5.9 that could result in blocking calls
+- to LDAP
+
+* Thu Jun 30 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.9-1
+- New upstream release 1.5.9
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9
+- Support for overriding home directory, shell and primary GID locally
+- Properly honor TTL values from SRV record lookups
+- Support non-POSIX groups in nested group chains (for RFC2307bis LDAP
+- servers)
+- Properly escape IPv6 addresses in the failover code
+- Do not crash if inotify fails (e.g. resource exhaustion)
+- Don't add multiple TGT renewal callbacks (too many log messages)
+
+* Fri May 27 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.8-1
+- New upstream release 1.5.8
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8
+- Support for the LDAP paging control
+- Support for multiple DNS servers for name resolution
+- Fixes for several group membership bugs
+- Fixes for rare crash bugs
+
+* Fri Apr 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.7-1
+- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites
+-                         cached password with predicatable filename
+
+* Wed Apr 20 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.6.1-1
+- Re-add manpage translations
+
+* Wed Apr 20 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.6-1
+- New upstream release 1.5.6
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6
+- Fixed a serious memory leak in the memberOf plugin
+- Fixed a regression with the negative cache that caused it to be essentially
+- nonfunctional
+- Fixed an issue where the user's full name would sometimes be removed from
+- the cache
+- Fixed an issue with password changes in the kerberos provider not working
+- with kpasswd
+- Resolves: rhbz#697057 - kpasswd fails when using sssd and
+-                         kadmin server != kdc server
+- Fix a serious memory leak in the memberOf plugin
+- Fix an issue where the user's full name would sometimes be removed
+- from the cache
+
+* Tue Apr 12 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.5-1
+- New upstream release 1.5.5
+- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5
+- Fixes for several crash bugs
+- LDAP group lookups will no longer abort if there is a zero-length member
+- attribute
+- Add automatic fallback to 'cn' if the 'gecos' attribute does not exist
+
 * Thu Mar 24 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.4-1
 - New upstream release 1.5.4
 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
@@ -277,6 +423,9 @@ fi
 - Fixes for handling users and groups that have name aliases (aliases are ignored)
 - Fix group memberships after initgroups in the IPA provider
 
+* Fri Mar 18 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.3-3
+- Fix version requirement on libldb
+
 * Thu Mar 17 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.3-2
 - Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication
 
@@ -298,9 +447,8 @@ fi
 - Better support for automatic TGT renewal (now survives restart)
 - Netgroup fixes
 
-* Sun Feb 27 2011 Simo Sorce <ssorce@redhat.com> - 1.5.1-9
-- Rebuild sssd against libldb 1.0.2 so the memberof module loads again.
-- Related: rhbz#677425
+* Mon Feb 21 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-9
+- Fix build against older libldb
 
 * Mon Feb 21 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-8
 - Resolves: rhbz#677768 - name service caches names, so id command shows
@@ -323,6 +471,9 @@ fi
 - Fix nested group member filter sanitization for RFC2307bis
 - Put translated tool manpages into the sssd-tools subpackage
 
+* Thu Jan 27 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-2.1
+- Remove requirement on krb5-devel 1.9
+
 * Thu Jan 27 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.5.1-2
 - Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during
 - rpmbuild
@@ -368,7 +519,6 @@ fi
 - platforms where LDAP referrals are not supported
 - Added support for manpage translations
 
-
 * Thu Nov 18 2010 Stephen Gallagher <sgallagh@redhat.com> - 1.4.1-3
 - Solve a shutdown race-condition that sometimes left processes running
 - Resolves: rhbz#606887 - SSSD stops on upgrade