# SSSD 2.7.0
The SSSD team is proud to announce the release of version 2.7.0 of the
System Security Services Daemon. The tarball can be downloaded from:
See the full release notes at:
RPM packages will be made available for Fedora shortly.
## New pgp key
So far we have been signing each release with our personal keys.
Starting from this release (including) we have switched to the new
project key that is used to sign our release tarball.
- Key ID: C13CD07FFB2DB1408E457A3CD3D21B2910CF6759
- URL: https://github.com/SSSD/sssd/blob/2.7.0/contrib/pubkey.asc
- Keyserver: keys.openpgp.org
## Changes release process
We have switched to a more aggressive release process since the release
of 2.0, where we were trying to publish new features even on every .z
release. From now on, we want to switch the process again to prioritize
stabilization of each released version. Therefore .z releases will
rather focus more on publishing bug fixes and will receive none or only
very few carefully selected new features.
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
### New features
* Added a new krb5 plugin `idp` and a new binary `oidc_child` which
performs **OAuth2** authentication against FreeIPA. This, however, can
not be tested yet because this feature is still under development on
the FreeIPA server side. Nevertheless, we have decided to include this
in the release in order to enable the functionality on the clients
immediately when the FreeIPA project delivers this feature without the
need to update the clients.
### General information
* Better default for IPA/AD re_expression. Tunning for group names
containing '@' is no longer needed.
* A warning is added in the logs if an LDAP operation needs more than
80% of the configured timeout.
* A new debug level is added to show statistical and performance data.
Currently the duration of a backend request and of single LDAP
operations are recorded if debug_level is set to 9 or the bit 0x20000 is
* Added support for anonymous PKINIT to get FAST credentials
* We have many warnings and errors from static analyzers
### Important fixes
* SSSD now correctly falls back to UPN search if the user was not found
even with `cache_first = true`.
### Packaging changes
* Added new configure option `--with-oidc-child` and
`--without-oidc-child` to control build of `oidc_child` (enabled by
* Added new package `sssd-idp` that contains the `oidc_child` and krb5
`idp` plugin, this package is required by `sssd-ipa`.