On (24/07/17 18:34), Jakub Hrozek wrote: >Hi, > >I would really like to release 1.15.3 soon (like, today, at worst >tomorrow if we can't merge PR #328 and #331 today). The release notes >are here: > https://pagure.io/fork/jhrozek/SSSD/docs > >You can either clone the repo and run 'make html' or, for your >convenience, I'm pasting the RST-formatted release notes below: > >SSSD 1.15.3 >=========== > >Highlights >---------- > >New Features >^^^^^^^^^^^^ > * In a setup where an IPA domain trusts an Active Directory domain, > it is now possible to `define the domain resolution order > <http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_. > Starting with this version, SSSD is able to read and honor the domain > resolution order, providing a way to resolve Active Directory users by > just their short name. SSSD also supports a new option > ``domain_resolution_order`` applicable in the ``[sssd]`` section > that allows to configure short names for AD users in setup with > ``id_provider=ad`` or in a setup with an older IPA server that doesn't > support the ``ipa config-mod --domain-resolution-order`` > configuration option. Also, it is now possible to use > ``use_fully_qualified_names=False`` in a subdomain configuration, but > please note that the user and group output from trusted domains will > always be qualified to avoid conflicts. > > * Design page - `Shortnames in trusted domains > <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ > > * SSSD ships with a new service called KCM. This service acts as a > storage for Kerberos tickets when ``libkrb5`` is configured to use > ``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential > cache types, KCM is better suited for containerized environments and > because the credential caches are managed by a stateful daemon, in > future releases will also allow to renew tickets acquired outside SSSD > (e.g. with ``kinit``) or provide notifications about ticket changes. >
Maybe we can mention that it is an optional feature and can be disabled at configure time if users does not want additional build/runtime time dependencies. > * Design page - `KCM server for SSSD > <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_ > > * `NOTE`: There are several known issues in the ``KCM`` responder that > will be handled in the next release such as > `issues with very large tickets <https://pagure.io/SSSD/sssd/issue/3386>`_ > or `tracking the SELinux label of the peer > <https://pagure.io/SSSD/sssd/issue/3434>`_ > > * Support for user and group resolution through the D-Bus interface and > authentication and/or authorization through the PAM interface even > for setups without UIDs or Windows SIDs present on the LDAP directory > side. This enhancement allows SSSD to be used together with `apache > modules <https://github.com/adelton/mod_lookup_identity>`_ to provide > identities for applications > > * Design page - `Support for non-POSIX users and groups > <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_ > > * SSSD ships a new public library called ``libsss_certmap`` that allows > a flexible and configurable way of mapping a certificate to a user > identity. This is required e.g. in environments where it is not possible > to add the certificate to the LDAP user entry, because the certificates > are issued externally or the LDAP schema cannot be modified. Additionally, > specific matching rules allow a specific certificate on a smart card to > be selected for authentication. > > * Design page - `Matching and Mapping Certificates > <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>`_ > > * The Kerberos locator plugin can be disabled using an environment variable > ``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the > ``sssd_krb5_locator_plugin`` manual page for mode details. > > * The ``sssctl`` command line tool supports a new command ``user-checks`` > that enables the administrator to check whether a certain user should be > allowed or denied access to a certain PAM service. > > * The ``secrets`` responder now forwards requests to a proxy Custodia > back end over a secure channel. > >Notable bug fixes >^^^^^^^^^^^^^^^^^ > > * The IPA HBAC evaluator no longer relies on ``originalMemberOf`` > attributes to construct the list of groups the user is a member of. > Maintaining the ``originalMemberOf`` attribute was unreliable and > was causing intermittent HBAC issues. > > * A bug where the cleanup operation might erroneously remove cached users > during their cache validation in case SSSD was set up with > ``enumerate=True`` was fixed. > > * Several bugs related to configuration of trusted domains were fixed, in > particular handling of custom LDAP search bases set for trusted domains. > > * Password changes for users from trusted Active Directory domains > were fixed > >Packaging Changes >----------------- > > * A new KCM responder was added along with a manpage. The upstream > reference specfile packages the responder in its own subpackage called > ``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM`` > credentials cache simply by installing the subpackage > Would be good to merge https://github.com/SSSD/sssd/pull/244 because /etc/krb5.conf.d/ is fedora/el7 specific which is not ideal from upstream POV. LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
