SHA256
1
0
forked from pool/sssd

Trim changelog by smart grammatical reordering

OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=149
This commit is contained in:
Jan Engelhardt 2015-06-14 20:54:24 +00:00 committed by Git OBS Bridge
parent b39414e572
commit 48ad59e229
2 changed files with 35 additions and 57 deletions

View File

@ -2,62 +2,40 @@
Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com
- Update to new upstream release 1.12.5
== Highlights ==
* This release adds several new enhancements and fixes many bugs
* Notable new enhancements:
* The background refresh tasks now supports refreshing users and groups
as well. Please see the description of the `refresh_expired_interval`
parameter in the `sssd.conf` man page.
* A new option subdomain_inherit was added. Options included in
the subdomain_inherit option also apply for trusted domains, if
supported. This release supports inheriting ignore_group_members,
ldap_purge_cache_timeout, ldap_use_tokengroups and
ldap_user_principal.
* When an expired account attempts to log in, a configurable error
message can be displayed with sufficient pam_verbosity setting. Please
see the description of the pam_account_expired_message option for
more information.
* OpenLDAP ppolicy can be honored even when an alternate login method
(such as SSH key) is used. Please see the description of the new
ppolicy value of the ldap_access_order option.
* A new option krb5_map_user was added. This option allows the admin
to map UNIX usernames to Kerberos principals. The option would be
mostly useful for setups that wish to continue using UNIX file-based
identities together with SSSD Kerberos authentication
* The important bug fixes include:
* Several AD-specific bugs that resulted in the incorrect set of groups
being displayed after the initgroups operation were fixed
* Many fixes related to the IPA ID views feature are included. Setups
using the ID views feature should update the SSSD instance on both
IPA servers and clients.
* The AD provider now handles binary GUIDs correctly. This bug was
manifested with an error message saying ldb_modify failed: Invalid
attribute syntax.
* The AD provider no longer downloads full group objects during
initgroups request if POSIX attributes are used. This fix may speed
up the login times significantly.
* A bug that prevented the `ignore_group_members` parameter to be used
with the AD provider was fixed
* The fail over code now reads and honors TTL value for SRV queries
as well. Previously, SRV queries used a hardcoded timeout
* The SELinux context set up during login with an IPA provider is only
called if the context had changed. This fixes a performance regression
with the IPA provider.
* The background refresh tasks now supports refreshing users and
groups as well. See the "refresh_expired_interval" parameter in
the sssd.conf manpage.
* A new option subdomain_inherit was added.
* When an expired account attempts to log in, a configurable
error message can be displayed with sufficient pam_verbosity
setting. See the "pam_account_expired_message" option.
* OpenLDAP ppolicy can be honored even when an alternate login
method (such as SSH key) is used. See the "ldap_access_order"
option.
* A new option :krb5_map_user" was added, allowing the admin to
map UNIX usernames to Kerberos principals.
* BUG FIXES:
* Fixed AD-specific bugs that resulted in the incorrect set of
groups being displayed after the initgroups operation.
* Fixes related to the IPA ID views feature. Setups using this
should update sssd on both IPA servers and clients.
* The AD provider now handles binary GUIDs correctly.
* A bug that prevented the `ignore_group_members` parameter to be
used with the AD provider was fixed.
* The failover code now reads and honors TTL value for SRV
queries as well.
* Race condition between setting the timeout in the back ends and
reading it in the front end during initgroup operation was fixed. This
bug affected applications that perform the `initgroups(3)` operation
in multiple processes simultaneously.
* Setups that only want to use the domain SSSD is connected to, but not
the autodiscovered trusted domains by setting `subdomains_provider=none`
now work correctly as long as the domain SID is set manually in the
config file
* In case only allow rules are used, the simple access provider is
now able to skip unresolvable groups.
* The GPO access control code now handles situations where user and
computer objects were in different domains. Previously, an attempt to
log in as user from a different domain than computer always resulted
in login failure.
reading it in the front end during initgroup operation was
fixed. This bug affected applications that perform the
initgroups(3) operation in multiple processes simultaneously.
* Setups that only want to use the domain SSSD is connected to,
but not the autodiscovered trusted domains by setting
`subdomains_provider=none` now work correctly as long as the
domain SID is set manually in the config file.
* In case only "allow" rules are used, the simple access provider
is now able to skip unresolvable groups.
* The GPO access control code now handles situations where user
and computer objects were in different domains.
-------------------------------------------------------------------
Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package sssd
#
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed