Fedora 14 Update: sssd-1.5.4-1.fc14

updates at fedoraproject.org updates at fedoraproject.org
Mon Mar 28 19:28:23 UTC 2011 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-4105
2011-03-25 19:03:50
--------------------------------------------------------------------------------

Name        : sssd
Product     : Fedora 14
Version     : 1.5.4
Release     : 1.fc14
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Description :
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

--------------------------------------------------------------------------------
Update Information:

== Highlights ==
 * Fixes for Active Directory when not all users and groups have POSIX attributes
 * Fixes for handling users and groups that have name aliases (aliases are ignored)
 * Fix group memberships after initgroups in the IPA provider

== Detailed Changelog ==

Jakub Hrozek (4):
 * Fix LDAP search filter for nested initgroups
 * Add originalDN to fake groups
 * Use fake groups during IPA schema initgroups
 * Return from functions in LDAP provider after marking request as failed

Stephen Gallagher (19):
 * Update version to 1.5.4
 * Require existence of GID number and name in group searches
 * Require existence of username, uid and gid for user enumeration
 * Add support for krb5 access provider to SSSDConfig API
 * Fix incorrect return value check
 * Create sysdb_get_rdn() function
 * Add sysdb_attrs_primary_name()
 * Ignore aliases for users
 * RFC2307: Ignore aliases for groups
 * RFC2307bis: Ignore aliases for groups
 * Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_group
 * Add sysdb_attrs_primary_name_list() routine
 * Don't crash if we get a multivalued name without an origDN
 * Don't crash on error if _name parameter unspecified
 * Check result of talloc_strdup() properly
 * sss_obfuscate: Avoid traceback on ctrl+d
 * sss_obfuscate: abort on ctrl+c
 * Add transifex_client configuration
 * Adding new translations

Sumit Bose (1):
 * Sanitize DN when searching the original DN in the cache

Modify SSSD's LDAP search filters to exclude groups and users that do not have all required information (useful for ActiveDirectory setups where some groups are POSIX-enabled and others are not)

sssd-1.5.3-3.fc14 - correct the libldb version requirement (bad merge from rawhide)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 24 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.4-1
- New upstream release 1.5.4
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4
- Fixes for Active Directory when not all users and groups have POSIX attributes
- Fixes for handling users and groups that have name aliases (aliases are ignored)
- Fix group memberships after initgroups in the IPA provider
* Fri Mar 18 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.3-3
- Fix version requirement on libldb
* Thu Mar 17 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.3-2
- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication
* Fri Mar 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.3-1
- New upstream release 1.5.3
- Support for libldb >= 1.0.0
* Thu Mar 10 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.2-1
- New upstream release 1.5.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2
- Fixes for support of FreeIPA v2
- Fixes for failover if DNS entries change
- Improved sss_obfuscate tool with better interactive mode
- Fix several crash bugs
- Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this
- Delete users from the local cache if initgroups calls return 'no such user'
- (previously only worked for getpwnam/getpwuid)
- Use new Transifex.net translations
- Better support for automatic TGT renewal (now survives restart)
- Netgroup fixes
* Mon Feb 21 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-9
- Fix build against older libldb
* Mon Feb 21 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-8
- Resolves: rhbz#677768 - name service caches names, so id command shows
-                         recently deleted users
* Fri Feb 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-7
- Ensure that SSSD builds against libldb-1.0.0 on F15 and later
- Remove .la for memberOf
* Fri Feb 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-6
- Fix memberOf install path
* Fri Feb 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-5
- Add support for libldb 1.0.0
* Wed Feb  9 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb  1 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-3
- Fix nested group member filter sanitization for RFC2307bis
- Put translated tool manpages into the sssd-tools subpackage
* Thu Jan 27 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-2.1
- Remove requirement on krb5-devel 1.9
* Thu Jan 27 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-2
- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during
- rpmbuild
* Thu Jan 27 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.1-1
- New upstream release 1.5.1
- Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
- Vast performance improvements when enumerate = true
- All PAM actions will now perform a forced initgroups lookup instead of just
- a user information lookup
-   This guarantees that all group information is available to other
-   providers, such as the simple provider.
- For backwards-compatibility, DNS lookups will also fall back to trying the
- SSSD domain name as a DNS discovery domain.
- Support for more password expiration policies in LDAP
-    389 Directory Server
-    FreeIPA
-    ActiveDirectory
- Support for ldap_tls_{cert,key,cipher_suite} config options
-Assorted bugfixes
* Tue Jan 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.0-2
- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
* Wed Dec 22 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.5.0-1
- New upstream release 1.5.0
- Fixed issues with LDAP search filters that needed to be escaped
- Add Kerberos FAST support on platforms that support it
- Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
- Added a Kerberos access provider to honor .k5login
- Addressed several thread-safety issues in the sss_client code
- Improved support for delayed online Kerberos auth
- Significantly reduced time between connecting to the network/VPN and
- acquiring a TGT
- Added feature for automatic Kerberos ticket renewal
- Provides the kerberos ticket for long-lived processes or cron jobs
- even when the user logs out
- Added several new features to the LDAP access provider
- Support for 'shadow' access control
- Support for authorizedService access control
- Ability to mix-and-match LDAP access control features
- Added an option for a separate password-change LDAP server for those
- platforms where LDAP referrals are not supported
- Added support for manpage translations
* Thu Nov 18 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.4.1-3
- Solve a shutdown race-condition that sometimes left processes running
- Resolves: rhbz#606887 - SSSD stops on upgrade
* Tue Nov 16 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.4.1-2
- Log startup errors to the syslog
- Allow cache cleanup to be disabled in sssd.conf
* Mon Nov  1 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.4.1-1
- New upstream release 1.4.1
- Add support for netgroups to the proxy provider
- Fixes a minor bug with UIDs/GIDs >= 2^31
- Fixes a segfault in the kerberos provider
- Fixes a segfault in the NSS responder if a data provider crashes
- Correctly use sdap_netgroup_search_base
* Mon Oct 18 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.4.0-2
- Fix incorrect tarball URL
* Mon Oct 18 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.4.0-1
- New upstream release 1.4.0
- Added support for netgroups to the LDAP provider
- Performance improvements made to group processing of RFC2307 LDAP servers
- Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin
- Build-system improvements to support Gentoo
- Split out several libraries into the ding-libs tarball
- Manpage reviewed and updated
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #683267 - sssd 1.5.1-9 breaks AD authentication
        https://bugzilla.redhat.com/show_bug.cgi?id=683267
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update sssd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list