[PATCH] Add option to disable TLS for LDAP auth
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is going to be a controversial patch. It adds support for an option
called "ldap_auth_disable_tls_never_use_in_production" which allows SSSD
to perform LDAP simple-bind authentication without a corresponding TLS
tunnel.
Multiple users have requested (arguably demanded) this feature for
"debugging" purposes. We've resisted it for a long time, but after a
certain point, once people yell often enough, it's probably worth it to
listen.
The option added by this patch is intentionally left out of the manpage
and the SSSDConfig API, as a means to strongly discourage its use.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0+8u4ACgkQeiVVYja6o6M1rwCdH9Gzi66lBzItaKFtGiLZFyIN
I3cAmgKzw1fUPUR8ckZfRl8+svO8NR3F
=d0sd
-----END PGP SIGNATURE-----
13 years, 2 months
Announcing the release of SSSD 1.5.1
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SSSD team is proud to announce the latest bugfix release of the
System Security Services Daemon.
The source tarball is available at https://fedorahosted.org/sssd
== Highlights ==
* Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins
* Vast performance improvements when {{{enumerate = true}}}
* All PAM actions will now perform a forced initgroups lookup instead
of just a user information lookup
* This guarantees that all group information is available to other
providers, such as the simple provider.
* For backwards-compatibility, DNS lookups will also fall back to
trying the SSSD domain name as a DNS discovery domain.
* Support for more password expiration policies in LDAP
* 389 Directory Server
* FreeIPA
* ActiveDirectory
* Support for ldap_tls_{cert,key,cipher_suite} config options
* Provided by community member Tyson Whitehead
* Assorted bugfixes
== Detailed Changelog ==
Jakub Hrozek (1):
* NSS obfuscation code cleanup
Piotr Drąg (2):
* Updating pl translation
* Updating pl translation
Stephen Gallagher (27):
* Bumping version to 1.5.1
* Remove unnecessary po4a BuildRequires
* Fix boolean comparison against string
* Work around libldb bug
* Add missing sysdb transaction to group enumerations
* Do not throw a DP error when a netgroup is not found
* Fix missing hash table bug
* Regenerate manpage po[t] files
* Update manpage translations for ldap_enumeration_search_timeout
* Fix usability of sss_obfuscate command
* Do not force a default for debug_level
* Clarify nscd warning
* Remove support for pre-1.1 netlink
* Don't double-sanitize member DNs
* Fix incorrect example file
* Add the user's primary group to the initgroups lookup
* Perform initgroups lookup for PAM
* Add missing include file to sdap_async_accounts.c
* Allow fallback to SSSD domain
* Rename dns_domain to discovery domain for fo_add_srv_server()
* Delete attributes that are removed from LDAP
* Updating translation files for string freeze
* Update translation files for string freeze
* Add uk translation to specfile
* Add missing gettext BuildRequires
* Update man.stamp when the potfile or po4a.cfg is updated
* Add option to disable TLS for LDAP auth
Sumit Bose (22):
* Build and install translated man pages by default
* Use the right status when resetting service discovery
* Rename SRV_NOT_RESOLVED to SRV_RESOLVE_ERROR
* Return groups and users from all domains during enumeration
* Post enumeration tevent request if needed
* Remove unused enumeration cache timeout checks
* Convert obfuscated password once at startup
* Add syslog message to shadow access check
* Add syslog messages to authorized service access check
* Validate user supplied size of data items
* Add overflow check to SAFEALIGN_COPY_*_CHECK macros
* Add timeout parameter to sdap_get_generic_send()
* Add ldap_search_enumeration_timeout config option
* Add LDAP expire policy based on AD attributes
* Add LDAP expire policy base RHDS/IPA attribute
* Add ipa_hbac_search_base config option
* Add pam_pwd_expiration_warning config option
* Use DEFAULT_PAM_VERBOSITY if config value cannot be retrieved
* Fix return value check
* Fix uninitialized value error
* Fix nested group handling during enumeration
* Do not fail if attributes are empty
Tyson Whitehead (1):
* Add ldap_tls_{cert,key,cipher_suite} config options
Yuri Chornoivan (6):
* Updating uk translation
* Add uk translation for manpages
* Fix manpage typos
* Updating uk manpage translation
* Updating uk translation
* Updating uk translation
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1BtYEACgkQeiVVYja6o6OWlgCZAb+GngLtgogIi1Xi7XArx3q+
DvAAn1EwGpD/wDqTtXKUyAxZadaEaNSh
=NsXl
-----END PGP SIGNATURE-----
13 years, 2 months
[PATCH] Update man.stamp when the potfile or po4a.cfg is updated
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fixes a build issue with our nightly builder. The man.stamp wasn't being
updated when the potfile or po4a.cfg was updated, which meant that it
was not building the newest languages (and therefore was failing in RPM
creation when it couldn't find the associated files for these languages)
Pushed to master under the one-liner and unbreak-the-build rules.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/N1oACgkQeiVVYja6o6POcgCfUvLTUpZmEXAfBbdbkE+eyp1Q
Q6kAnRcw99amX5GJwq/bhiPBqNHvfk4e
=/Fro
-----END PGP SIGNATURE-----
13 years, 3 months
[PATCH] Install SSSD python files in a package
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fixes https://fedorahosted.org/sssd/ticket/759
Note: This change will alter how consumers import the SSSD API.
e.g.
import SSSDConfig
is now
import sssd.SSSDConfig
Projects like authconfig would need to be updated with this change.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk096c4ACgkQeiVVYja6o6PVFACgoRiS1V9B3V5mgdgvzt2Fl7kw
nlAAn0Q2AFn9wFbJaooPl2kTvnb0gsds
=jBRm
-----END PGP SIGNATURE-----
13 years, 3 months
[PATCH] Add missing gettext BuildRequires
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SSIA
Pushed to master under the one-liner and unbreak-the-build rules.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0+3EcACgkQeiVVYja6o6M0GgCfWh0Le8nIqrCCPUinGsgnoLqr
VYwAoJYSOQO14I1K1eKWv/ZNNEGYlj4i
=xl8u
-----END PGP SIGNATURE-----
13 years, 3 months
[PATCH] Add uk translation to specfile
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I overlooked this when pushing the translation patches earlier.
Pushed to master under the one-liner rule.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk095tYACgkQeiVVYja6o6MnkwCeNMfuB6i+VtO3sSQL5wcO5Y5Z
5vwAn1ft8Wk6jL6HHfSv4/0wdZ9k2SVX
=JjWx
-----END PGP SIGNATURE-----
13 years, 3 months
Fwd: [Transifex] File submitted via email to SSSD | master
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ack and pushed to master.
- -------- Original Message --------
Subject: [Transifex] File submitted via email to SSSD | master
Date: Sun, 23 Jan 2011 16:34:21 -0000
From: transifex-app(a)fedoraproject.org
To: sgallagh(a)fedoraproject.org
Hello sgallagh, this is Transifex at http://translate.fedoraproject.org/tx/.
The following attached files were submitted to SSSD | master by raven
<raven(a)fedoraproject.org>
Please, visit Transifex at
http://translate.fedoraproject.org/tx//projects/p/sssd/c/master/ in
order to see the component page.
Thank you,
Transifex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09y84ACgkQeiVVYja6o6O0qgCfWmxn81o3O3XP8YdX8YvsjU+H
AasAn3uq3m4QgTBS3Kz6b3amaPt8uc0k
=+Q0l
-----END PGP SIGNATURE-----
13 years, 3 months
Fwd: [Transifex] File submitted via email to SSSD | master
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ack and pushed to master
- -------- Original Message --------
Subject: [Transifex] File submitted via email to SSSD | master
Date: Sun, 23 Jan 2011 08:09:57 -0000
From: transifex-app(a)fedoraproject.org
To: sgallagh(a)fedoraproject.org
Hello sgallagh, this is Transifex at http://translate.fedoraproject.org/tx/.
The following attached files were submitted to SSSD | master by yurchor
<yurchor(a)fedoraproject.org>
Please, visit Transifex at
http://translate.fedoraproject.org/tx//projects/p/sssd/c/master/ in
order to see the component page.
Thank you,
Transifex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09y7sACgkQeiVVYja6o6P+GACgpzsPxDtl00YiK50P+A5kuAOu
ZUMAn3x+z/MEiDsMO9JvCDj3WOgPADI4
=gzJF
-----END PGP SIGNATURE-----
13 years, 3 months
