Chapter 1. Authentication
Directory Server supports configurable normalized DN cache
This update provides better performance for plug-ins such as
memberOf
and for operations which update entries with many DN syntax attributes. The newly implemented configurable normalized DN cache makes DN handling by the server more efficient.
SSSD displays password expiration warnings when using non-password authentication
Previously, SSSD could only verify password validity during the authentication phase. When a non-password authentication method was used, such as during SSH login, SSSD was not called in the authentication phase and therefore did not perform a password validity check. This update moves the check from the authentication phase to the account phase. As a result, SSSD can issue a password expiration warning even when no password is used during authentication. For more information, see the Deployment Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/index.html
SSSD supports login with User Principal Name
In addition to user names, the User Principal Name (UPN) attribute can now be used by SSSD for identifying users and user logins, which is a functionality available to Active Directory users. With this enhancement, it is possible to log in as an AD user with either the user name and the domain, or the UPN attribute.
SSSD supports background refresh for cached entries
SSSD allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.
The sudo command supports zlib compressed I/O logs
The
sudo
command is now built with zlib
support which enables sudo
to generate and process compressed I/O logs.
New package: openscap-scanner
A new package, openscap-scanner, is now provided to allow administrators to install and use the OpenSCAP scanner (oscap) without having to install all dependencies of the openscap-utils package, which previously contained the scanner tool. The separate packaging of the OpenSCAP scanner reduces potential security risks associated with installing unnecessary dependencies. The openscap-utils package is still available and contains other miscellaneous tools. Users who only need the oscap tool are advised to remove the openscap-utils package and install the openscap-scanner package.
New package: scap-workbench for easy SCAP evaluation
SCAP Workbench enables easy to use SCAP-content tailoring and single-machine evaluation. It greatly lowers the entry barrier with its integration of scap-security-guide content. Prior to this update, Red Hat Enterprise Linux 6 included the scap-security-guide and openscap packages, but not the scap-workbench package. Without SCAP Workbench, the command line is required to test SCAP evaluation, which is error prone and a major obstacle for some users. SCAP Workbench enables users to easily customize their SCAP content and test evaluation on single machines.
If supported by NSS, TLS 1.0 or newer is enabled by default
Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Directory Server now accepts more secure SSL protocols, such as TLSv1.1 and TLSv1.2, in the range manner offered by the NSS library. You can also define the SSL range that the console will use when communicating with Directory Server instances.
openldap includes the pwdChecker library
This update introduces the
Check Password
extension for OpenLDAP by including the OpenLDAP pwdChecker
library. The extension is required for PCI compliance in Red Hat Enterprise Linux 6.
SSSD supports overriding automatically discovered AD site
The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the
ad_site
parameter in the [domain/NAME]
section of the /etc/sssd/sssd.conf
file. For more information about ad_site
, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
certmonger supports SCEP
The
certmonger
service has been updated to support the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, you can now offer enrollment over SCEP.
Performance improvements for Directory Server delete operations
Previously, the recursive nested group look-ups performed during a group delete operation could take a long time to complete if there were very large static groups. The new
memberOfSkipNested
configuration attribute has been added to allow skipping the nested group check, thus improving performance of delete operations significantly.
SSSD supports user migration from WinSync to Cross-Realm Trust
A new
ID Views
mechanism of user configuration has been implemented in Red Hat Enterprise Linux 6.7. ID Views enables migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For details on ID Views and the migration procedure, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports localauth Kerberos plug-in
This update adds the
localauth
Kerberos plug-in for local authorization. The plug-in ensures that Kerberos principals are automatically mapped to local SSSD user names. With this plug-in, it is no longer necessary to use the auth_to_local
parameter in the krb5.conf
file. For more information about the plug-in, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports access to specified applications without system login rights
The
domains=
option has been added to the pam_sss
module, which overrides the domains=
option in the /etc/sssd/sssd.conf
file. This update also adds the pam_trusted_users
option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon. In addition to that, the pam_public_domains
option and a list of domains accessible even for untrusted users have been added. These new options enable a system configuration that allows regular users to access specified applications without login rights on the system itself. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports consistent user environment across AD and IdM
The
sssd
service can read POSIX attributes defined on an Active Directory (AD) server that is in a trust relationship with Identity Management (IdM). With this update, the administrator can transfer a custom user shell attribute from the AD server to an IdM client. SSSD then displays the custom attribute on the IdM client. This update enables maintaining consistent environments across the whole enterprise. Note that the homedir
attribute on the client currently displays the subdomain_homedir
value from the AD server. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports displaying groups for AD trusted users before login
Active Directory (AD) users from domains of an AD forest in a trust relationship with Identity Management (IdM) are now able to resolve group memberships prior to logging in. As a result, the
id
utility now displays the groups for these users without requiring the users to log in.
getcert supports requesting certificates without certmonger
Requesting a certificate using the
getcert
utility during an Identity Management (IdM) client kickstart enrollment no longer requires the certmonger
service to be running. Previously, an attempt to do this failed because certmonger
was not running. With this update, getcert
can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that certmonger
starts to monitor the certificate obtained in this way only after reboot.
SSSD supports preserving case of user identifiers
SSSD now supports the
true
, false
, and preserve
values for the case_sensitive
option. When the preserve
value is enabled, the input matches regardless of the case, but the output is always the same case as on the server; SSSD preserves the case for the UID field as it is configured.
SSSD supports denying locked accounts SSH login access
Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The
ldap_access_order
parameter now accepts the ppolicy
value which can deny SSH access to the user in the described situation. For more information about using ppolicy
, see the ldap_access_order
description in the sssd-ldap(5) man page.
SSSD supports using GPOs on AD
SSSD can now use Group Policy Objects (GPOs) stored on an Active Directory (AD) server for access control. This enhancement mimics the functionality of Windows clients, and a single set of access control rules can now be used to handle both Windows and Unix machines. In effect, Windows administrators can now use GPOs to control access to Linux clients. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html