[Freeipa-interest] Announcing the release of SSSD 1.5.0

Stephen Gallagher sgallagh at redhat.com
Wed Dec 22 18:52:40 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The SSSD team is proud to announce the latest enhancement release of the
System Security Services Daemon.

The source tarball is available at https://fedorahosted.org/sssd


== Highlights ==
 * Fixed issues with LDAP search filters that needed to be escaped
 * Add Kerberos FAST support on platforms that support it
 * Reduced verbosity of PAM_TEXT_INFO messages for cached credentials
 * Added a Kerberos access provider to honor .k5login
 * Addressed several thread-safety issues in the sss_client code
 * Improved support for delayed online Kerberos auth
  * Significantly reduced time between connecting to the network/VPN and
acquiring a TGT
 * Added feature for automatic Kerberos ticket renewal
  * Provides the kerberos ticket for long-lived processes or cron jobs
even when the user logs out
 * Added several new features to the LDAP access provider
  * Support for 'shadow' access control
  * Support for authorizedService access control
  * Ability to mix-and-match LDAP access control features
 * Added an option for a separate password-change LDAP server for those
platforms where LDAP referrals are not supported
 * Added support for manpage translations

== Detailed Changelog ==
Jakub Hrozek (5):
 * Always use uint32_t for UID/GID numbers
 * Internal DNS resolver should check /etc/hosts
 * Allow protocol fallback for SRV queries
 * Make manual pages translatable
 * Add Czech translation

Jan Zeleny (1):
 * Option krb5_server is now used to store a list of KDCs instead of
krb5_kdcip.

Marko Myllynen (1):
 * Fix a typo in sssd-krb5 man page

Moritz Baumann (1):
 * Fix misused SDAP_SEARCH_BASE

Piotr Drąg (1):
 * Updating pl translation

Simo Sorce (6):
 * sss_client: make code thread-safe
 * Pass sdap_id_ctx in sdap_id_op functions.
 * ldap: remove variable that was never assigned nor used
 * ldap: add checks to determine if USN features are available.
 * ldap: Use USN entries if available.
 * Fix wrong test in pam_sss

Stephen Gallagher (58):
 * Write log opening failures to the syslog
 * Improve versioning for automated builds
 * Bumping version to 1.5.0 dev
 * Fix incorrect free of req in krb5_auth.c
 * Don't clean up groups for which a user has it as primary GID
 * Handle errors during log reopening better
 * Properly check the return value from semanage_commit
 * Add utility function to sanitize LDAP/LDB filters
 * Add sysdb utility function for sanitizing DN
 * Sanitize search filters for the sysdb
 * Sanitize sysdb search filters in the IPA provider
 * Sanitize sysdb filters in the LDAP provider
 * Sanitize sysdb DN helpers
 * Sanitize search filters in memberOf plugin
 * Sanitize sysdb dn for memberof lookup
 * Add unit tests for users and groups with odd characters
 * Sanitize search filters in LDAP provider
 * Properly document ldap_purge_cache_timeout
 * Sanitize ldap attributes in the config file
 * Fix cast warning for pam_sss.c
 * Fix const cast warning for sysdb_update_members
 * Fix const cast warning in build_attrs_from_map
 * Fix const cast issue with sysdb_attrs_users_from_str_list
 * Fix const cast warning in confdb_create_ldif
 * Fix const cast warnings in tests
 * Fix incorrect type comparison
 * Log startup errors to syslog
 * Ensure that SSSD shuts down completely before restarting
 * Fix authentication queue code for proxy auth
 * Wait for all children to exit
 * Add signal documentation to sssd(8)
 * Print correct error messages for dp_err_to_string()
 * Make default SIGTERM and SIGINT handlers use tevent
 * Resend SIGTERM if child doesn't terminate
 * Set up signal handlers before initializing sysdb
 * Make sure that sss_obfuscate installs as executable
 * Move sss_* tools into their own subpackage
 * Remove IPA_ACCESS_TIME define
 * Add group support to the simple access provider
 * Fix timeouts for DNS resolver
 * Reschedule the fd timeout for secondary lookups
 * Eliminate possible NULL-dereference in pam_check_user_search
 * Add missing break statement to sss_hash_create
 * Prevent uninitialized value error in monitor_quit
 * Fix invalid sizeof in pidfile
 * Fix segfault for PAM_TEXT_INFO conversations
 * Fix unchecked return value in sss_krb5_verify_keytab_ex
 * Fix unsafe return condition in ipa_access_handler
 * Fix uninitialized value error in set_local_and_remote_host_info
 * Fix unchecked return value in test_sysdb_attrs_to_list
 * Fix unchecked return value in set_nonblocking
 * Start first enumeration immediately
 * Add sysdb_has_enumerated and sysdb_set_enumerated helper functions
 * Pass all PAM data to the LDAP access provider
 * Add authorizedService support
 * Ensure ID is checked in all domains for PAM
 * Update the ID cache for any PAM request
 * Committing new translation updates for release

Sumit Bose (79):
 * Add ldap_deref option
 * Add some missing ldap_memfree()
 * Download only enabled IPA HBAC rules
 * Add netgroups infrastructure to proxy provider
 * Implement netgroups for proxy provider
 * Remove all nss requests after a reconnect
 * Always use talloc_zero() to allocate cmdctx
 * Fix double free issue
 * Allow authentication for referrals
 * Mention ding-libs in BUILD.txt
 * Fix two return value checks
 * Store krb5 auth context for other targets
 * Add infrastructure for Kerberos access provider
 * Add krb5_get_simple_upn()
 * Make krb5_setup() public
 * Add krb5_kuserok() access check to krb5_child
 * Make handle_child_* request public
 * Call krb5_child to check access permissions
 * Add defaultNamingContext to RootDSE attributes
 * Use (default)namingContext to set empty search bases
 * Make ldap_search_base a non-mandatory option
 * Review comments for namingContexts patches
 * Avoid long long in messages to PAM client use int64_t
 * Introduce pam_verbosity config option
 * Add missing error code
 * Fix offline detection for LDAP auth/chpass
 * Fix man page
 * Use a more efficient host search filter
 * Add SIGUSR2 to reset offline status
 * fix typo in get_server_status()
 * Fix a typo on setup_netlink()
 * Daemonize by default
 * Run checks before resetting offline state
 * Fix offline detection in sdap_cli_connect request
 * Add check_online method to LDAP ID provider
 * Add a special filter type to handle enumerations
 * Send authtok_type to krb5_child
 * Add a renew task to krb5_child
 * Check authtok type for krb5 auth and chpass
 * Add krb5_renewable_lifetime option
 * Add krb5_lifetime option
 * Add support for server-side pam response messages
 * krb5_child returns TGT lifetime
 * Add support for automatic Kerberos ticket renewal
 * Allow krb5 lifetime values without a unit
 * Make string_to_shadowpw_days() public
 * Add new account expired rule to LDAP access provider
 * Add ldap_chpass_uri config option
 * Refactor krb5_child to make helpers more flexible
 * Add support for FAST in krb5 provider
 * Mark unavailable Kerberos server as PORT_NOT_WORKING
 * Replace krb5_kdcip by krb5_server in LDAP provider
 * Fix build issue with older Kerberos library
 * Remove check_access_time() from IPA access provider
 * Bye, bye, ipa_timerules
 * Fix unchecked return value in sdap_get_msg_dn()
 * Fix unchecked return value in sdap_parse_entry()
 * Remove unused newauthtok variable in LOCAL_pam_handler
 * Fix improper NULL check in fo_add_srv_server()
 * Fix incorrect return value on failure in resolve_get_domain_send()
 * Fix incorrect return value on failure in check_and_export_options()
 * Fix uninitialized value error in sdap_account_expired_shadow()
 * Fix uninitialized value error in setup_test in fail_over-tests.c
 * Fix improper bit manipulation in pam_sss
 * Fix possible memory leak in sss_nss_recv_rep()
 * Fix uninitialized value error in main() in stress-tests.c
 * Fix possible memory leak in do_pam_conversation
 * Fix another possible memory leak in sss_nss_recv_rep()
 * Fix memory leak of library handle in proxy
 * Fix uninitialized value error in lookup_netgr_step()
 * Fix possible NULL-dereference in lookup_netgr_step()
 * Avoid multiple initializations in LDAP provider
 * Introduce sss_hash_create_ex()
 * Fixes for automatic ticket renewal
 * Serialize requests of the same user in the krb5 provider
 * Update config API files
 * Add all values of a multi-valued user attribute
 * Remove unused member of a struct
 * Fix potential NULL-dereference in krb5_auth_done()

Yuri Chornoivan (1):
 * Updating uk translation

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0SSPgACgkQeiVVYja6o6NB5gCdFbTQxLCNdOOOM87A2Ieh7iA5
yZQAoKL/YL8VZb2jFe2QzADqi0ci8SOB
=3C8c
-----END PGP SIGNATURE-----

More information about the Freeipa-interest mailing list