---------------------------------------------------------------------------= ----- Fedora Update Notification FEDORA-2011-14639 2011-10-20 09:34:15 ---------------------------------------------------------------------------= -----

Name : sssd Product : Fedora 15 Version : 1.5.14 Release : 3.fc15 URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Description : Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.

---------------------------------------------------------------------------= ----- Update Information:

2011-10-21: Added selinux-policy and updated SSSD with explicit Requires

2011-10-23: Changed Requires: to Conflicts: for selinux-policy in sssd

FreeIPA:

=3D=3D What happened to 2.1.2!? =3D=3D

Right after tagging 2.1.2 we found an upgrade issue that would have =

affected any users using the selfsign CA (installed with --selfsign). We =

decided to hold back the release, fix a few more bugs, and just push out =

2.1.3 instead about a week later. So here we are.

=3D=3D Highlights in 2.1.3 =3D=3D

* Enforce that system hostname matches hostname of IPA server. * Require that /etc/hosts is sane even when configuring DNS. * Increase default server-side LDAP search limits. * Client enrollment improvements including longer wait for sssd to =

start, recovery if discovered IPA server is not responsive and when =

anonymous bind is disabled in 389-ds.

=3D=3D Highlights in 2.1.2 =3D=3D

* Upgrade older dogtag installs to use new PKI proxy configuration * hbactest improvements * Added platform-independent code to make ipa-client-install more portable * Make client uninstaller more robust, should restore state more completely. * UI usability improvements * Tool for Enabling/Disabling Managed Entry Plugins * Managed Entries configuration is now replicated * IPv6 client enrollment improvements * Man page improvements * Performance improvements when calculating indirect membership * Improved handling of disabled anonymous binds in 389-ds * user is now prompted to enter current password when changing to a new password * ipa server now support multiple namingContexts. ipa-client-install and password migration were fixed

=3D=3D Upgrading =3D=3D

=3D=3D=3D Server =3D=3D=3D

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=3Dupdates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c =

packages (and perhaps some others). A script will be executed in the rpm =

postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, =

https://bugzilla.redhat.com/show_bug.cgi?id=3D730387, related to =

read-write locks. The NSPR RW lock implementation does not safely allow =

re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During =

testing one user experienced this and the upgrade hung. To break the =

hang kill the ns-slapd process for your realm, wait for the yum =

transaction to complete, then restart 389-ds and manually run the update =

process:

# service dirsrv start # ipa-ldap-updater --update

=3D=3D=3D Client =3D=3D=3D

The ipa-client-install tool in the ipa-client package is just a =

configuration tool. There should be no need to re-run this on every =

client already enrolled.

SSSD: =3D=3D Highlights =3D=3D * Improved handling of users and groups with multi-valued name attributes (aliases) * Performance enhancements * Initgroups on RFC2307bis/FreeIPA * HBAC rule processing * Improved process-hang detection and restarting * Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) * Cleaned up the example configuration

389-ds-base: * fix config del/add mods * memberof is transaction aware resource * limits for simple paged results * Native systemd support * Fix for managed entry * Fixed source tarball * fix transaction support in ldbm_delete

---------------------------------------------------------------------------= ----- ChangeLog:

* Sun Oct 23 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.14-3 - Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version. * Fri Oct 21 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.14-2 - Add explicit requirement on selinux-policy version to address new SBUS symlinks. * Wed Oct 19 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.14-1 - New upstream release 1.5.14 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.14 - Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements * Initgroups on RFC2307bis/FreeIPA * HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on comm= only-used entries) - Cleaned up the example configuration * Fri Sep 2 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.13-1.2 - Rebuild with explicit dependency on libldb * Mon Aug 29 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.13-1.1 - Rebuild against fixed libtevent version * Mon Aug 29 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.13-1 - New upstream release 1.5.13 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed * Fri Aug 5 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.12-1 - New upstream release 1.5.12 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.12 - Fixes a regression introduced in 1.5.11 with hostname resolution - Fixes an issue where sssd_pam would leak file descriptors until resource exhaustion - Complete rewrite of the FreeIPA Host-Based Access Control (HBAC) resolver - New shared library for HBAC access-control - Fixes for password expiration handling with LDAP auth - New option to veto certain centrally-managed shells (Patch by John Hodrie= n) * Tue Jul 5 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.11-2 - New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// U= RIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record * Fri Jul 1 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.10-1 - New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP * Thu Jun 30 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.9-1 - New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages) * Fri May 27 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.8-1 - New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs * Mon May 23 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.7-3 - Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14 * Mon May 2 2011 Stephen Gallagher sgallagh@redhat.com - 1.5.7-2 - Fix segfault in TGT renewal ---------------------------------------------------------------------------= ----- References:

[ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIP= A deployments with large numbers of hosts. https://bugzilla.redhat.com/show_bug.cgi?id=3D743035 [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error= 53 on backend config https://bugzilla.redhat.com/show_bug.cgi?id=3D741744 [ 3 ] Bug #743966 - Compiler warnings in account usability plugin https://bugzilla.redhat.com/show_bug.cgi?id=3D743966 [ 4 ] Bug #740942 - allow resource limits to be set for paged searches in= dependently of limits for other searches/operations https://bugzilla.redhat.com/show_bug.cgi?id=3D740942 [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically a= nd per-user https://bugzilla.redhat.com/show_bug.cgi?id=3D742324 [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for inc= remental and total protocols https://bugzilla.redhat.com/show_bug.cgi?id=3D739172 [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server https://bugzilla.redhat.com/show_bug.cgi?id=3D736712 [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit= "data no longer matches" errors https://bugzilla.redhat.com/show_bug.cgi?id=3D590826 [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation https://bugzilla.redhat.com/show_bug.cgi?id=3D730387 [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Co= ntrol '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS https://bugzilla.redhat.com/show_bug.cgi?id=3D611438 [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby https://bugzilla.redhat.com/show_bug.cgi?id=3D735114 ---------------------------------------------------------------------------= -----

This update can be installed with the "yum" update program. Use =

su -c 'yum update sssd' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on t= he GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ---------------------------------------------------------------------------= -----