LGTM, great work guys. Simo.
On Mon, 2018-08-13 at 15:20 +0200, Jakub Hrozek wrote: > Hi, > > we’re about to release 2.0. Here are my draft release notes: > > SSSD 2.0.0 > =========== > > > Highlights > ---------- > This release removes or deprecates functionality from SSSD, therefore the SSSD > team decided it was time to bump the major version number. The sssd-1-16 > branch will be still supported (most probably even as a LTM branch) so that > users who rely on any of the removed features can either migrate or ask for > the features to be readded. > > Except for the removed features, this release contains a reworked internal IPC > and a new default storage back end for the KCM responder. > > Removed features > ^^^^^^^^^^^^^^^^ > * The Python API for managing users and groups in local domains > (`id_provider=local`) was removed completely. The interface > had been packaged as module called `pysss.local` > * The LDAP provider had a special-case branch for evaluating group > memberships with the RFC2307bis schema when group nesting was > explicitly disabled. This codepath was adding needless additional > complexity for little performance gain and was rarely used. > * The `ldap_groups_use_matching_rule_in_chain` and > `ldap_initgroups_use_matching_rule_in_chain` options and the code that > evaluated them was removed. Neither of these options provided > a significant performance benefit and the code implementing > these options was complex and rarely used. > > Deprecated features > ^^^^^^^^^^^^^^^^^^^ > * The local provider (`id_provider=local`) and the command line > tools to manage users and groups in the local domains, such as > `sss_useradd` is not built by default anymore. There is a configure-time > switch `--enable-local-domain` you can use to re-enable the local > domain support. However, upstream would like to remove the local > domain completely in a future release. > * The `sssd_secrets`` responder is not packaged by default. The responder > was meant to provide a REST API to access user secrets as well as > a proxy to Custodia servers, but as Custodia development all but > stopped and the local secrets handling so far didn't gain traction, > we decided to not enable this code by default. This also means that the > default SSSD configuration no longer requires libcurl and http-parser. > > Changed default settings > ^^^^^^^^^^^^^^^^^^^^^^^^ > * The `ldap_sudo_include_regexp` option changed its default value > from `true` to `false`. This means that wild cards in the `sudoHost` > LDAP attribute are no longer supported by default. The reason we > changed the default was that the wildcard was costly to evaluate > on the LDAP server side and at the same time rarely used. > > New features > ^^^^^^^^^^^^ > * The KCM responder has a new back end to store credential caches > in a local database. This new back end is enabled by default and > actually uses the same storage as the `sssd-secrets` responder had used, > so the switch from sssd-secrets to this new back end should be > completely seamless. The `sssd-secrets` socket is no longer required for > KCM to operate. > > Packaging Changes > ----------------- > * The `sss_useradd`, `sss_userdel`, `sss_usermod`, `sss_groupadd`, > `sss_groupdel`, `sss_groupshow` and `sss_groupmod` binaries and their > manual pages are no longer packaged by default unless > `--enable-local-provider` is selected. > * The sssd_secrets responder is no longer packaged by default unless > `--enable-secrets-responder` is selected. > * The new internal IPC mechanism uses several private libraries that > need to be packaged - `libsss_sbus.so`, `libsss_sbus_sync.so`, > `libsss_iface.so`, > `libsss_iface_sync.so`, `libifp_iface.so` and `libifp_iface_sync.so` > * The new KCM ccache back end relies on a private library > `libsss_secrets.so` that must be packaged in case either the KCM > responder > or the secrets responder are enabled. > > Documentation Changes > --------------------- > * The `ldap_groups_use_matching_rule_in_chain` and > `ldap_initgroups_use_matching_rule_in_chain` options were removed. > * The `ldap_sudo_include_regexp` option changed its default value > from `true` to `false`. > > Tickets Fixed > ------------- > To be generated > > Detailed Changelog > ------------------ > To be generated > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/TBPGM4JPW3F5AKF6ELW45BMPPEOOENLO/ _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/JZ6TNN56FNEENNRWBIWXXXCTUD4TZ4MS/