4.168. sssd

BZ#806765

If an LDAP server had the paging control module installed but not enabled or if a highly loaded LDAP server was restricted to a single page search operation at the time, SSSD could unexpectedly deny simple paged search requests with the following error message:

Unexpected result from ldap: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection.

This update implements the "ldap_disable_paging" option, which allows SSSD to disable the LDAP paging control. With this option set, the number of SSSD lookups is limited to the maximum defined by the LDAP server and SSSD no longer fails with aforementioned error in this scenario.

BZ#860788

If a single group was present in two different places in the LDAP group hierarchy, the sssd daemon skipped the whole nesting level that contained the group when it was processing the group for the second time. With this update, sssd only skips the single group that was already processed and moves to other groups on the same nesting level, thus fixing this bug.

Bug Fixes

BZ#782221

Previously, the SSSD daemon could deny simple paged search requests, if an LDAP (Lightweight Directory Access Protocol) server had the paging control module installed but not enabled or if a highly loaded LDAP server was restricted to a single page search operation. With this update, the "ldap_disable_paging" option disables the LDAP paging control to limit the number of SSSD lookups defined by the LDAP server.

BZ#783081

Previously, a segmentation fault could occur when the IPA HBAC (Host-Based Access Control) code iterated over the list of groups with an entity that formed the HBAC rule without checking its validity. This update creates an empty array to allow the HBAC code to loop safely.

BZ#797272

Previously, the SSSD daemon did not have a versioned dependency on the DBus library. Now, a versioned dependency on the DBus library is added to enable SSSD also on older versions of the DBus library.

BZ#797300

Previously, the IPA provider checked only IPA access control policies and ignored additional access control policies when the access provider was configured to use IPA access control policies. Users could get access when the LDAP access provider denied access. Now, LDAP access control policies are checked before the IPA access control policies.

BZ#811912

Previously, provider-specific data was freed before data that was transported between different SSSD processes. A segmentation fault could occur on shutdown when already freed memory was accessed. This update changes the order of free operations.

BZ#815154

Previously, the SSSD daemon was limited to 1024 open files by default. Further logins were rejected if the number of simultaneous connections exceed the limit. This update sets the limit to 8000 open files or the maximum from limits.conf, whichever is less.

BZ#817073

Previously, the SSSD daemon went offline when set to encrypt the communication with the LDAP server using GSSAPI if the first Kerberos server was down. Now, SSSD retries all key distribution centers (KDC) before going offline.

BZ#828190

Previously, the status of a server that was unreachable was reset to neutral after a 30-seconds timeout. The server list marked a server for another retry and the cycle looped if the server list was too long. This update performs only one loop and stops when encountering a server that was checked before.

BZ#833169

Previously, the SSSD daemon kept connections to client applications open for the lifetime of the application. SSSD could use too many file descriptors and refused new connections if many long-running applications were running simultaneously. Now, SSSD keeps a connection to a client application open only for a default interval of 60 seconds.

BZ#841677

Previously, the SSSD daemon did not contain an option to disable source hosts processing. The LDAP query to retrieve hosts could reach the administration limit of the LDAP server and abort if the IPA server contained a large number of hosts. Now, the ipa_hbac_support_srchost option defaults to "False" to switch off source hosts support.

BZ#846664

Previously, the SSSD daemon could skip a complete level of nesting processes when SSSD processed a group that was already encountered on another nesting level. SSSD incorrectly reported group memberships. This update modifies the logic in the LDAP back end to skip only already processed groups.