Fedora 15 Update: sssd-1.5.14-3.fc15

Sun Oct 30 00:30:42 UTC 2011

---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-14639
2011-10-20 09:34:15
---------------------------------------------------------------------------=
-----

Name        : sssd
Product     : Fedora 15
Version     : 1.5.14
Release     : 3.fc15
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Description :
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

---------------------------------------------------------------------------=
-----
Update Information:

2011-10-21: Added selinux-policy and updated SSSD with explicit Requires

2011-10-23: Changed Requires: to Conflicts: for selinux-policy in sssd

FreeIPA:

=3D=3D What happened to 2.1.2!? =3D=3D

Right after tagging 2.1.2 we found an upgrade issue that would have =

affected any users using the selfsign CA (installed with --selfsign). We =

decided to hold back the release, fix a few more bugs, and just push out =

2.1.3 instead about a week later. So here we are.

=3D=3D Highlights in 2.1.3 =3D=3D

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to =

start, recovery if discovered IPA server is not responsive and when =

anonymous bind is disabled in 389-ds.

=3D=3D Highlights in 2.1.2 =3D=3D

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

=3D=3D Upgrading =3D=3D

=3D=3D=3D Server =3D=3D=3D

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=3Dupdates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c =

packages (and perhaps some others). A script will be executed in the rpm =

postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, =

https://bugzilla.redhat.com/show_bug.cgi?id=3D730387, related to =

read-write locks. The NSPR RW lock implementation does not safely allow =

re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During =

testing one user experienced this and the upgrade hung. To break the =

hang kill the ns-slapd process for your realm, wait for the yum =

transaction to complete, then restart 389-ds and manually run the update =

process:

  # service dirsrv start
  # ipa-ldap-updater --update

=3D=3D=3D Client =3D=3D=3D

The ipa-client-install tool in the ipa-client package is just a =

configuration tool. There should be no need to re-run this on every =

client already enrolled.

SSSD:
=3D=3D Highlights =3D=3D
 * Improved handling of users and groups with multi-valued name
attributes (aliases)
 * Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
 * Improved process-hang detection and restarting
 * Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
 * Cleaned up the example configuration

389-ds-base:
 * fix config del/add mods
 * memberof is transaction aware resource
 * limits for simple paged results
 * Native systemd support
 * Fix for managed entry
 * Fixed source tarball
 * fix transaction support in ldbm_delete

---------------------------------------------------------------------------=
-----
ChangeLog:

* Sun Oct 23 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.14-3
- Change selinux policy requirement to Conflicts: with the old version,
  rather than Requires: the supported version.
* Fri Oct 21 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.14-2
- Add explicit requirement on selinux-policy version to address new SBUS
  symlinks.
* Wed Oct 19 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.14-1
- New upstream release 1.5.14
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14
- Improved handling of users and groups with multi-valued name attributes
  (aliases)
- Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
- Improved process-hang detection and restarting
- Enabled the midpoint cache refresh by default (fewer cache misses on comm=
only-used entries)
- Cleaned up the example configuration
* Fri Sep  2 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.13-1.2
- Rebuild with explicit dependency on libldb
* Mon Aug 29 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.13-1.1
- Rebuild against fixed libtevent version
* Mon Aug 29 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.13-1
- New upstream release 1.5.13
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13
- Fixes a serious issue with LDAP connections when the communication is
  dropped (e.g. VPN disconnection, waking from sleep)
- SSSD is now less strict when dealing with users/groups with multiple names
  when a definitive primary name cannot be determined
- The LDAP provider will no longer attempt to canonicalize by default when
  using SASL. An option to re-enable this has been provided
- Fixes for non-standard LDAP attribute names (e.g. those used by Active
  Directory)
- Three HBAC regressions have been fixed
* Fri Aug  5 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.12-1
- New upstream release 1.5.12
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.12
- Fixes a regression introduced in 1.5.11 with hostname resolution
- Fixes an issue where sssd_pam would leak file descriptors until resource
  exhaustion
- Complete rewrite of the FreeIPA Host-Based Access Control (HBAC) resolver
- New shared library for HBAC access-control
- Fixes for password expiration handling with LDAP auth
- New option to veto certain centrally-managed shells (Patch by John Hodrie=
n)
* Tue Jul  5 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.11-2
- New upstream release 1.5.11
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11
- Fix a serious regression that prevented SSSD from working with ldaps:// U=
RIs
- IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6
- address being saved to the AAAA record
* Fri Jul  1 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.10-1
- New upstream release 1.5.10
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10
- Fixed a regression introduced in 1.5.9 that could result in blocking calls
- to LDAP
* Thu Jun 30 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.9-1
- New upstream release 1.5.9
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9
- Support for overriding home directory, shell and primary GID locally
- Properly honor TTL values from SRV record lookups
- Support non-POSIX groups in nested group chains (for RFC2307bis LDAP
- servers)
- Properly escape IPv6 addresses in the failover code
- Do not crash if inotify fails (e.g. resource exhaustion)
- Don't add multiple TGT renewal callbacks (too many log messages)
* Fri May 27 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.8-1
- New upstream release 1.5.8
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8
- Support for the LDAP paging control
- Support for multiple DNS servers for name resolution
- Fixes for several group membership bugs
- Fixes for rare crash bugs
* Mon May 23 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.7-3
- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d
- Make sure to properly convert to systemd if upgrading from newer
- updates for Fedora 14
* Mon May  2 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.7-2
- Fix segfault in TGT renewal
---------------------------------------------------------------------------=
-----
References:

  [ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIP=
A deployments with large numbers of hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D743035
  [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error=
 53 on backend config
        https://bugzilla.redhat.com/show_bug.cgi?id=3D741744
  [ 3 ] Bug #743966 - Compiler warnings in account usability plugin
        https://bugzilla.redhat.com/show_bug.cgi?id=3D743966
  [ 4 ] Bug #740942 - allow resource limits to be set for paged searches in=
dependently of limits for other searches/operations
        https://bugzilla.redhat.com/show_bug.cgi?id=3D740942
  [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically a=
nd per-user
        https://bugzilla.redhat.com/show_bug.cgi?id=3D742324
  [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for inc=
remental and total protocols
        https://bugzilla.redhat.com/show_bug.cgi?id=3D739172
  [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
        https://bugzilla.redhat.com/show_bug.cgi?id=3D736712
  [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit=
 "data no longer matches" errors
        https://bugzilla.redhat.com/show_bug.cgi?id=3D590826
  [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
        https://bugzilla.redhat.com/show_bug.cgi?id=3D730387
  [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Co=
ntrol '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
        https://bugzilla.redhat.com/show_bug.cgi?id=3D611438
  [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
        https://bugzilla.redhat.com/show_bug.cgi?id=3D735114
---------------------------------------------------------------------------=
-----

This update can be installed with the "yum" update program.  Use =

su -c 'yum update sssd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----