On Tue, Jul 25, 2017 at 08:39:59AM +0200, Lukas Slebodnik wrote: > On (24/07/17 18:34), Jakub Hrozek wrote: > >Hi, > > > >I would really like to release 1.15.3 soon (like, today, at worst > >tomorrow if we can't merge PR #328 and #331 today). The release notes > >are here: > > https://pagure.io/fork/jhrozek/SSSD/docs > > > >You can either clone the repo and run 'make html' or, for your > >convenience, I'm pasting the RST-formatted release notes below: > > > >SSSD 1.15.3 > >=========== > > > >Highlights > >---------- > > > >New Features > >^^^^^^^^^^^^ > > * In a setup where an IPA domain trusts an Active Directory domain, > > it is now possible to `define the domain resolution order > > <http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_. > > Starting with this version, SSSD is able to read and honor the domain > > resolution order, providing a way to resolve Active Directory users by > > just their short name. SSSD also supports a new option > > ``domain_resolution_order`` applicable in the ``[sssd]`` section > > that allows to configure short names for AD users in setup with > > ``id_provider=ad`` or in a setup with an older IPA server that doesn't > > support the ``ipa config-mod --domain-resolution-order`` > > configuration option. Also, it is now possible to use > > ``use_fully_qualified_names=False`` in a subdomain configuration, but > > please note that the user and group output from trusted domains will > > always be qualified to avoid conflicts. > > > > * Design page - `Shortnames in trusted domains > > <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ > > > > * SSSD ships with a new service called KCM. This service acts as a > > storage for Kerberos tickets when ``libkrb5`` is configured to use > > ``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential > > cache types, KCM is better suited for containerized environments and > > because the credential caches are managed by a stateful daemon, in > > future releases will also allow to renew tickets acquired outside SSSD > > (e.g. with ``kinit``) or provide notifications about ticket changes. > > > > Maybe we can mention that it is an optional feature and can be disabled > at configure time if users does not want additional build/runtime time > dependencies.
Done > > > > * Design page - `KCM server for SSSD > > <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_ > > > > * `NOTE`: There are several known issues in the ``KCM`` responder that > > will be handled in the next release such as > > `issues with very large tickets > > <https://pagure.io/SSSD/sssd/issue/3386>`_ > > or `tracking the SELinux label of the peer > > <https://pagure.io/SSSD/sssd/issue/3434>`_ > > > > * Support for user and group resolution through the D-Bus interface and > > authentication and/or authorization through the PAM interface even > > for setups without UIDs or Windows SIDs present on the LDAP directory > > side. This enhancement allows SSSD to be used together with `apache > > modules <https://github.com/adelton/mod_lookup_identity>`_ to provide > > identities for applications > > > > * Design page - `Support for non-POSIX users and groups > > <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_ > > > > * SSSD ships a new public library called ``libsss_certmap`` that allows > > a flexible and configurable way of mapping a certificate to a user > > identity. This is required e.g. in environments where it is not possible > > to add the certificate to the LDAP user entry, because the certificates > > are issued externally or the LDAP schema cannot be modified. Additionally, > > specific matching rules allow a specific certificate on a smart card to > > be selected for authentication. > > > > * Design page - `Matching and Mapping Certificates > > <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>`_ > > > > * The Kerberos locator plugin can be disabled using an environment variable > > ``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the > > ``sssd_krb5_locator_plugin`` manual page for mode details. > > > > * The ``sssctl`` command line tool supports a new command ``user-checks`` > > that enables the administrator to check whether a certain user should be > > allowed or denied access to a certain PAM service. > > > > * The ``secrets`` responder now forwards requests to a proxy Custodia > > back end over a secure channel. > > > >Notable bug fixes > >^^^^^^^^^^^^^^^^^ > > > > * The IPA HBAC evaluator no longer relies on ``originalMemberOf`` > > attributes to construct the list of groups the user is a member of. > > Maintaining the ``originalMemberOf`` attribute was unreliable and > > was causing intermittent HBAC issues. > > > > * A bug where the cleanup operation might erroneously remove cached users > > during their cache validation in case SSSD was set up with > > ``enumerate=True`` was fixed. > > > > * Several bugs related to configuration of trusted domains were fixed, in > > particular handling of custom LDAP search bases set for trusted domains. > > > > * Password changes for users from trusted Active Directory domains > > were fixed > > > >Packaging Changes > >----------------- > > > > * A new KCM responder was added along with a manpage. The upstream > > reference specfile packages the responder in its own subpackage called > > ``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM`` > > credentials cache simply by installing the subpackage > > > > Would be good to merge https://github.com/SSSD/sssd/pull/244 because > /etc/krb5.conf.d/ is fedora/el7 specific which is not ideal from > upstream POV. Done. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
