7.202. sssd

Bug Fixes

BZ#1168363

The "domains=" option for the pam_sss module

BZ#1088402

The UPN (User Principal Name) attribute to identify users and user logins

BZ#1036745

Password expiration warnings for non-password authentication

BZ#1168344

The ID views feature

BZ#1168377

Transferring the user shell attribute from an Active Directory (AD) server to an Identity Management (IdM) client

BZ#1098147

Updating cached entries out-of-band in the background

BZ#1161564

The ad_site option can be used to override the AD site discovered from DNS

BZ#1168357

A new Kerberos plug-in maps Kerberos principals to local SSSD user names

BZ#1168378

Groups for AD trusted users are displayed without logging in

BZ#1171782

The case_sensitive option accepts the "preserve" value.

BZ#1173198

The ldap_access_order option accepts the "ppolicy" value.

BZ#1187642

SSSD can use GPOs on an AD server

BZ#1123291

Applications leveraging identities from SSSD could terminate unexpectedly while invalidating the memory cache using the sss_cache utility. This bug has been fixed, and using sss_cache is safe.

BZ#1134942

SSSD properly recognizes Windows 2012R2 as an AD server and applies the correct AD-specific performance optimizations.

BZ#1139878

SSSD failed to connect to servers that only allowed authenticated connections to read the rootDSE entry, such as IBM Tivoli LDAP servers. SSSD now retries an authenticated connection after a non-authenticated connection fails while reading rootDSE. As a result, SSSD works as expected with these servers.

BZ#1170910

When the simple_allow_groups and simple_allow_users options contained non-existent and existing entries, SSSD denied access to the existing users or groups. Now, SSSD logs and skips the non-existent entries and correctly handles the existing ones.

BZ#1173738, BZ#1194367

This update fixes bugs that caused SSSD to terminate unexpectedly due to memory errors or when trying to access callback data.

BZ#1135838, BZ#1172865

The sssd-ldap(5) and sssd.conf(5) man pages have been modified.

BZ#1201847

SSSD downloaded an unnecessary amount of data when obtaining information about groups from an AD provider when using POSIX attributes on the server. With this update, SSSD downloads only the information about the group object, not the contents of the group.

BZ#1205382

SSSD did not properly handle the "objectGUID" AD LDAP attribute. Now, SSSD considers "objectGUID" a binary value as expected, and the attribute is stored correctly.

BZ#1215765

If a multi-process program requested the initgroups data immediately after SSSD startup, before the SSSD cache was ready, the NSS responder could incorrectly return an empty group list. With this update, the initgroups requests from a multi-process program with an empty cache work correctly, and the described problem no longer occurs.

BZ#1221358

Setups with "subdomains_provider=none" set for AD domains did not sometimes work as expected. Now, the ldap_idmap_default_domain_sid option value is used for the SSSD main domain, thus fixing the bug. Note that ldap_idmap_default_domain_sid must be set for SSSD to function correctly in this situation.

Enhancement

BZ#1171378

SRV queries now honor the time to live (TTL) values from DNS.