The SSSD team is proud to announce the version 1.7.0 enhancement release of the System Security Services Daemon.
As always, it can be downloaded from https://fedorahosted.org/sssd/
== Highlights == * Support for case-insensitive domains * Support for multiple search bases in the LDAP provider * Support for the native FreeIPA netgroup implementation * Reliability improvements to the process monitor * New DEBUG facility with more consistent log levels * New tool to change debug log levels without restarting SSSD * SSSD will now disconnect from LDAP server when idle * FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains * Assorted performance improvements in the LDAP provider (reducing disk-writes to the cache) * '''Experimental''' support for looking up SUDO rules in ldap * Not built by default * Requires unreleased sudo binary. Very preliminary functionality. * '''Experimental''' support for Heimdal Kerberos implementation (buggy)
== Detailed Changelog ==
Jakub Hrozek (89): * pyhbac: Do not convert int to bool * Fix returning groups when gidNumber attribute is not ordered * Prevent segfault if vetoed_shells are specified without allowed_shells * Remove unused temporary context * Handle errno properly in set_debug_file_from_fd() * Do not delete requests inside hash_iterate loop * Handle timeout during sss_ldap_init_send * IPA dyndns: do not segfault if the server cannot be resolved * Return the first value of name if the multivalued name attribute does not match RDN * Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON * Use the default Kerberos realm for LDAP with GSSAPI auth * Fix moving to next entry in deref code * Allow turning dereference off by setting the threshold to 0 * Change libnl monitor callback to only signal going online * Discard carrier messages from non-ethernet devices * Subscribe to netlink route and addr messages * Improve error message for LDAP password constraint violation * Keep deref controls until the whole request is finished * Fix uninitialized pointer read in sdap_gssapi_get_default_realm() * Fix wrong buffer size in has_phy_80211_subdir() * Multiline macro cleanup * IPA access: hostname comparison should be case-insensitive * Add sysdb interface to get name aliases * Add a sysdb_get_direct_parents function * Store name aliases for users, groups * Return users and groups based on alias * Use explicit base 10 for converting strings to integers * Fix typo in sysdb_get_direct_parents * Add option to follow symlinks to check_file() * Append PID to sbus server socket name, let clients use a symlink * Streamline the example config * Check if dp_requests hash table exists before using it * Fix off-by-one error in remove_socket_symlink() * Report on errno, not return code in create_socket_symlink * Add a missing break * Sanitize DN in sysdb_get_direct_parents * gitignore additions * Utility functions for LDAP nested schema initgroups * Use fewer transactions during RFC2307bis initgroups * Use fewer transactions during IPA initgroups * Cancel transactions correctly during initgroups * Plug memory leaks in LDAP provider * Plug memory leaks in sysdb_ops * Do not leak hash table iterator during proxy auth * resolver: Free the whole hostent structure * RFC2307bis initgroups: fix nested groups processing * Steal result onto mem_ctx in sdap_initgr_nested_get_direct_parents * Use LDAPDerefSpec properly * Remove confusing do-while loop * Fix segfault in sdap_get_initgr_user * Use correct state struct in sdap_initgr_rfc2307bis_next_base * configAPI: Fix removing in old domain when saving a new domain * Squash transactions in sdap_initgr_common_store * Use one transaction instead of two during RFC2307bis group processing * Prevent printing NULL in several places of LDAP provider * Cleanup: Remove unused parameters * Fix sdap_id_ctx/ipa_id_ctx mismatch in IPA provider * Provide means of forcing TLS and GSSAPI enabled/disabled for sdap connections * IPA migration fixes * Fix two small bugs in group dereferencing * Use dereference during IPA provider initgroups * Pass the correct private data into Data Provider callback * Always attempt to connect in sdap_async_sys_connect_done * LDAP provider: Error while setting the nocanon option should not be fatal * Cancel ping_check if service goes away * sss_utf8_tolower utility function+unit tests * Responders: Split getting domain by name into separate function * Canonicalize username in PAM provider * Use the case sensitivity flag in responders * Refactor saving sdap entities * sysdb_get_real_name helper function * Use the case sensitivity flag in the LDAP provider * Use the case sensitivity flag in the simple access provider * Use the case sensitivity flag in the proxy provider * Export the function to convert ldb_result to sysdb_attrs * SUDO Integration - sysdb interface * SUDO Integration - LDAP provider - save sudo rules functions * SUDO Integration - responder - get sudo rules logic * DP: Remove processed callbacks * Pass client context to sss_dp_get_account_send * Pass sdap_id_ctx to online check from IPA provider * Error out if local domain is case insensitive * Resolver: Introduce a per-request timeout * Do not touch resolve_service_state in fo_resolve_service_done * Failover: Introduce a per-service timeout * Save original memberof, not memberof * sss_get_cased_name utility function * Return user and group names lowercased in case insensitive domains * Honor case sensitive flag when creating the ccname template
Jan Zeleny (37): * sysdb refactoring: renamed ctx variable to sysdb * Added sysdb_ctx_get_domain function * sysdb refactoring: deleted domain variables in sysdb API * sysdb refactoring: memory context deleted * Remaining memory context variables renamed * sdap_async_accounts.c split * Confusing part of code cleared out * Moved some functions in sdap_async_groups * Moved some functions in sdap_async_initgroups * Fixed bad logic in processing netgroups in LDAP provider * man page fix (lists are comma-separated) * Fixed timeout handling in responders * Added krb5_fast_principal to SSSDConfig API * Cleanup of unused function in ldap access provider * Add wrapper for krb5_get_init_creds_opt_set_canonicalize * Add support to request canonicalization on krb AS requests * Support to request canonicalization in LDAP/IPA provider * Handle group renaming correctly * Fixed possible resource leak in get_uid_from_pid() * Fixed possible resource leak in create_mail_spool() * Fixed empty loginShell in proxy provider * Fixed unchecked value of setenv() in check_and_export_options() * Renamed some LDAP routines * Modified sdap_parse_search_base() * Added and modified options for IPA netgroups * New IPA ID context * Added support for fetching netgroups in IPA provider * Added IPA account info handler * Fixed a typo in sysdb_upgrade_07() declaration * Fixed uninitialized pointer read in netgroups processing * Fixed logically dead code in netgroup processing * Add ipa_hbac_support_srchost option to IPA provider * Fixed an error in macro for merging double linked lists * Fixed incorrect return code in PAM client * Add ldap_sasl_minssf option * Fixed IPA netgroup processing * Deleted declaration of nss_get_dom()
Krzysztof Klimonda (1): * Fix FTBFS related to -Werror=format-security
Marko Myllynen (4): * Add missing options to sssd.api.conf * Unbreak ./configure * Update sssd-example.conf * Typo fixes
Pavel Březina (35): * debug_timestamps fixes * Fixed implicit declaration of function 'time' in src/sss_client/common.c. * New DEBUG facility - new levels * New DEBUG facility - modified DEBUG * New DEBUG facility - conversion * New DEBUG facility - man pages * New DEBUG facility - unit tests * New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0 * --debug-timestamps=1 is not passed to providers * sss_ldap_err2string() - function created * sss_ldap_err2string() - ldap_err2string() to sss_ldap_err2string() * sss_debuglevel - change the debug levels on the fly * DEBUG timestamps offer higher precision * DEBUG timestamps offer higher precision - man page updated * DEBUG timestamps offer higher precision - unit tests updated * DEBUG timestamps offer higher precision - SSSDConfig updated * Added quiet option to pam_sss * SysDB commands that save lastUpdate allows this value to be passed in * Fixes debug-tests.c coverity issues: NEGATIVE_RETURNS, FORWARD_NULL * sss_cli.h - fix: function declaration after the header guard * Added sssd --version option * Added sss_ldap_dn_in_search_bases() * Support search bases in RFC2307bis enumeration * Support search bases in netgroup members translation * SUDO integration - client common interface * SUDO integration - data provider backend handler * SUDO Integration - LDAP configuration options * SUDO integration - LDAP provider * SUDO Integration - responder * SUDO Integration - API for sudo * SUDO Integration - pseudo client for testing * Logically dead code in sdap_nested_group_lookup_group * Use of uninitialized value in sss_ldap_dn_in_search_bases * SUDO Integration - be_sudo_req removed from sudo_ctx * SUDO Integration - fixed memory leak in sdap_sudo_handler()
Pavel Zuna (2): * Fix small bug where TALLOC_CTX could end up unfreed. * Add common SIGCHLD handling for providers.
Ralf Haferkamp (1): * Allow the O_NONBLOCK flag to be reset correctly
Simo Sorce (1): * Set more strict permissions on keyring
Stephen Gallagher (74): * Bumping version to 1.7.0 * Revert "Allow LDAP to decide when an expiration warning is warranted" * Rename sssd.conf to sssd-example.conf * Include the configuration file as a %ghost entry * Remove private shared object Provides: for pysss.so and pyhbac.so * Cancel sysdb upgrade transaction if commit fails * Fix potential double-free issue * Fix broken RHEL5 build * Use sysdb attribute name for GID, not LDAP attribute * HBAC: Handle saving groups that have no members * HBAC: Use of hostgroups for targethost or sourcehost was broken * HBAC: Properly skip all non-group memberOf entries * Add option to specify the kerberos replay cache dir * Fix typo in %configure * Remove all libtool .la files from RPM * Improve documentation of libipa_hbac * Add libipa_hbac documentation to the -devel package * MONITOR: Correctly detect lack of response from services * Do not build documentation on RHEL 5 * Fix typo in specfile * MAN: Add more information about internal credential storage * Enable the midpoint cache update by default * HBAC: fix typos preventing proper hostgroup evaluation * SYSDB: New source file for sysdb upgrade routines * HBAC: Do not save member/memberOf links * HBAC: Use originalMember for identifying servicegroups * HBAC: Use originalMember for identifying hostgroups * BUILDSYS: Fix --without-manpages * TOOLS: Do not leak pid_file handle on error * MONITOR: fix timeout conversion * Updating translation files * SSSDConfig: Handle integer parsing more leniently * Remove unused sdap_options attributes * Fix size return for split_on_separator() * Make sdap_get_id_specific_filter() more strict * LDAP: Add parser for multiple search bases * LDAP: Support multiple user search bases (non-enumeration) * LDAP: Support multiple netgroup search bases * LDAP: Support multiple group search bases (non-enumeration, RFC2307) * LDAP: Add multiple search bases for initgroups (users) * LDAP: Add multiple search bases for initgroups (RFC2307 groups) * LDAP: Add multiple search bases for initgroups (RFC2307bis groups) * LDAP: Update manpages with multiple search base information * LDAP: Convert ldap_*_search_filter * LDAP: Add support for multiple search bases for user enumeration * LDAP: Add support for multiple search bases for group enumeration * RESPONDER: Fix segfault in sss_packet_send() * SYSDB: add index for nameAlias * Periodic translation file update * LDAP: Remove redundant groups from the lookup list * SBUS: Fix DEBUG log matching * RESPONDER: Ensure that all input strings are valid UTF-8 * SYSDB: Make ENOENT log messages less threatening * Fix broken build due to commit of IPA netgroup support * Add -fno-strict-aliasing * LDAP: Try next failover server on any error * RESPONDER: Refactor DP requests into tevent_req style * Allow using Glib for UTF8 support * Ignore NULL-terminator when checking UTF8-validity * LDAP: Fix missing break statements in force_tls * Ignore NULL-terminator when checking UTF8-validity for netgroups * Fix potential resource leak in backup_file.c * Fix uninitialized value error in ipa_netgroups.c * Add sdap_connection_expire_timeout option * Update spec file to build with Glib on RHEL 5 * Fix typo in IPA SSSDConfig file * Move child_common routines to util * Reorder pidfile() function to guarantee NULL-termination * Securely set umask when using mkstemp * Update translations for string freeze * MONITOR: use sigchld handler for monitoring SSSD services * PAM: make initgroups timeout work across multiple clients * Add compatibility layer for Heimdal Kerberos implementation * Importing new translations for 1.7.0 release
Sumit Bose (2): * Improve password policy error code and message * Do not access memory out of bounds
Thorsten Scherf (1): * Fixed translation bug
Yuri Chornoivan (2): * Fix two man page typos * Fix typos in manual pages
sssd-devel@lists.fedorahosted.org