# SSSD 2.9.0
The SSSD team is announcing the release of version 2.9.0 of the
System Security Services Daemon. The tarball can be downloaded from:
See the full release notes at:
RPM packages will be made available for Fedora shortly.
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
### General information
* `sss_simpleifp` library is deprecated and might be removed in further
releases. Those who are interested to keep using it awhile should
configure its build explicitly using `--with-libsifp` `./configure` option.
* "Files provider" (i.e. `id_provider = files`) is deprecated and might
be removed in further releases. Those who are interested to keep using
it awhile should configure its build explicitly using
`--with-files-provider` `./configure` option. Or consider using "Proxy
provider" with `proxy_lib_name = files` instead.
* Previously deprecated `--enable-files-domain` configure option, which
was used to manage default value of the `enable_files_domain` config
option, is now removed.
* Long time unused '--enable-all-experimental-features' configure option
* SSSD will no longer warn about changed defaults when using
`ldap_schema = rfc2307` and default autofs mapping. This warning was
introduced in 1.14 to loudly warn about different default values.
### New features
* New passkey functionality, which will allow the use of FIDO2 compliant
devices to authenticate a centrally managed user locally. Moreover, in
the case of a FreeIPA user, it can also issue a Kerberos ticket
automatically with upcoming FreeIPA version 4.11.
* Add support for ldapi:// URLs to allow connections to local LDAP servers
* NSS IDMAP has two new methods: `getsidbyusername` and `getsidbygroupname`
Note: support for passkey is in its initial phase and the authentication
policy will be adjusted in future versions.
#### Packaging changes for passkey
* Include passkey subpackage and dependency for libfido2.
#### Configuration changes for passkey
* New options to enable and tune passkey behavior: `pam_passkey_auth`,
`ldap_user_passkey`, `passkey_verification`, `passkey_child_timeout`,
`interactive`, `interactive_prompt`, `touch` and `touch_prompt`.
* `--with-passkey` is a new configuration option to enable building
### Important fixes
* A regression when running sss_cache when no SSSD domain is enabled
would produce a syslog critical message was fixed.
### Configuration changes
* Default value of `cache_first` option was changed to `true` in case
SSSD is built without `files provider`.
* ipa_access_order parameter introduced. It behaves much like
ldap_access_order but affects IPA domains (id_provider = ipa) and
accepts limited values. Please see sssd-ipa(5) for more information.