SSSD 1.13.0
Highlights
- Support for separate prompts when using two-factor authentication was added
- Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
- The fast memory cache now also supports the initgroups operation.
- The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the
cached_auth_timeout
option in the sssd.conf
manual page.
- The Active Directory provider has changed the default value of the
ad_gpo_access_control
option from permissive
to enforcing
. As a consequence, the GPO access control now affects all clients that set access_provider
to ad
. In order to restore the previous behaviour, set ad_gpo_access_control
to permissive
or use a different access_provider
type.
- Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
- Credential caching and Offline authentication are also available when using two-factor authentication
- Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
- The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
- The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the
ldap_purge_cache_timeout
option in case your environment requires the cleanup task
- The Python bindings are now built for both Python2 and Python3
- The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the
ldap_opt_timeout
option
Packaging Changes
- A new directory
/var/lib/sss/keytabs
is present and owned by the sssd-ipa
subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service.
- Several packaging changes are present in this release to support the Python3 bindings, notably new
python-sss
and python-sss-murmur
subpackages are introduced in upstream RPM packaging
- All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
- The OpenSSL development library such as
openssl-devel
on RHEL/Fedora or Debian/Ubuntu libssl-dev
is now required to support certificate operations
- A new internal library
libsss_cert.so
is present in this release.
- The fast initgroups memcache is represented by a new file
/var/lib/sss/mc/initgroups
Documentation Changes
- The
ad_gpo_access_control
option default has changed from permissive
to enforcing
- The default value of
ldap_purge_cache_timeout
changed to 0, thus effectivelly disabling the cleanup task.
- A new option
cache_credentials_minimal_first_factor_length
was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5)
man page for more details
- The cached authentication is controlled by new option
cached_auth_timeout
. By default the cached authentication is disabled.
See full release notes here.