forked from jengelh/sssd
Accepting request 536521 from network:ldap
- Update to new upstream release 1.16.0 OBS-URL: https://build.opensuse.org/request/show/536521 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=84
This commit is contained in:
commit
348391ee50
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4cd5fcb314d77a58029a216b7e6001c6cb41c5b784cf570c5761c97d1c12d264
|
||||
size 5248134
|
@ -1,6 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iEYEABECAAYFAljJcscACgkQHsardTLnvCVCdwCgj0g3CSbz/gIS37W553d0QI7i
|
||||
waoAnRN8+lQjwHQS+76q5nz2eSdRLnIG
|
||||
=4tQo
|
||||
-----END PGP SIGNATURE-----
|
3
sssd-1.16.0.tar.gz
Normal file
3
sssd-1.16.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f
|
||||
size 5899127
|
6
sssd-1.16.0.tar.gz.asc
Normal file
6
sssd-1.16.0.tar.gz.asc
Normal file
@ -0,0 +1,6 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iEYEABECAAYFAlnqDFQACgkQHsardTLnvCU79wCg3b6eA8KEVLV8WECtUpTuFOb4
|
||||
WtAAoIQpjJYhg/z0wNqa2wh5v7CLpZdP
|
||||
=MMlI
|
||||
-----END PGP SIGNATURE-----
|
70
sssd.changes
70
sssd.changes
@ -1,3 +1,73 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com
|
||||
|
||||
- Update to new upstream release 1.16.0
|
||||
|
||||
Security fixes
|
||||
* This release fixes CVE-2017-12173: Unsanitized input when searching in
|
||||
local cache database. SSSD stores its cached data in an LDAP like local
|
||||
database file using libldb. To lookup cached data LDAP search filters
|
||||
like (objectClass=user)(name=user_name) are used. However, in
|
||||
sysdb_search_user_by_upn_res(), the input was not sanitized and
|
||||
allowed to manipulate the search filter for cache lookups. This would
|
||||
allow a logged in user to discover the password hash of a different user.
|
||||
|
||||
New Features
|
||||
* SSSD now supports session recording configuration through tlog. This
|
||||
feature enables recording of everything specific users see or type
|
||||
during their sessions on a text terminal. For more information, see
|
||||
the sssd-session-recording(5) manual page.
|
||||
* SSSD can act as a client agent to deliver
|
||||
Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
|
||||
policies defined on an IPA server. Fleet Commander provides a
|
||||
configuration management interface that is controlled centrally and
|
||||
that covers desktop, applications and network configuration.
|
||||
* Several new systemtap <https://sourceware.org/systemtap/> probes
|
||||
were added into various locations in SSSD code to assist in
|
||||
troubleshooting and analyzing performance related issues. Please see the
|
||||
sssd-systemtap(5) manual page for more information.
|
||||
* A new LDAP provide access control mechanism that allows to restrict
|
||||
access based on PAM's rhost data field was added. For more details,
|
||||
please consult the sssd-ldap(5) manual page, in particular the
|
||||
options ldap_user_authorized_rhost and the rhost value of
|
||||
ldap_access_filter.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com
|
||||
|
||||
- Update to new upstream release 1.15.3 (KCM disabled)
|
||||
|
||||
New Features
|
||||
* In a setup where an IPA domain trusts an Active Directory domain,
|
||||
it is now possible to define the domain resolution order
|
||||
(see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names).
|
||||
* Design page - Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>
|
||||
* SSSD ships with a new service called KCM. This service acts as a
|
||||
storage for Kerberos tickets when "libkrb5" is configured to use
|
||||
"KCM:" in "krb5.conf".
|
||||
* Design page - KCM server for SSSD <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>
|
||||
* NOTE: There are several known issues in the "KCM" responder that
|
||||
will be handled in the next release.
|
||||
* Support for user and group resolution through the D-Bus interface and
|
||||
authentication and/or authorization through the PAM interface even
|
||||
for setups without UIDs or Windows SIDs present on the LDAP directory
|
||||
side. This enhancement allows SSSD to be used together with apache
|
||||
modules <https://github.com/adelton/mod_lookup_identity> to provide
|
||||
identities for applications
|
||||
* Design page - Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>
|
||||
* SSSD ships a new public library called "libsss_certmap" that allows
|
||||
a flexible and configurable way of mapping a certificate to a user
|
||||
identity.
|
||||
* Design page - Matching and Mapping Certificates <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>
|
||||
* The Kerberos locator plugin can be disabled using an environment variable
|
||||
"SSSD_KRB5_LOCATOR_DISABLE". Please refer to the
|
||||
"sssd_krb5_locator_plugin" manual page for mode details.
|
||||
* The "sssctl" command line tool supports a new command "user-checks"
|
||||
that enables the administrator to check whether a certain user should be
|
||||
allowed or denied access to a certain PAM service.
|
||||
* The "secrets" responder now forwards requests to a proxy Custodia
|
||||
back end over a secure channel.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com
|
||||
|
||||
|
47
sssd.spec
47
sssd.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: sssd
|
||||
Version: 1.15.2
|
||||
Version: 1.16.0
|
||||
Release: 0
|
||||
Summary: System Security Services Daemon
|
||||
License: GPL-3.0+ and LGPL-3.0+
|
||||
@ -30,7 +30,7 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc
|
||||
Source3: baselibs.conf
|
||||
Source4: sssd.service
|
||||
Source5: %name.keyring
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRoot: %_tmppath/%name-%version-build
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
@ -214,6 +214,23 @@ Group: System/Libraries
|
||||
The idmap_sss module provides a way for Winbind to call SSSD to map
|
||||
UIDs/GIDs and SIDs.
|
||||
|
||||
%package -n libsss_certmap0
|
||||
Summary: FreeIPA ID mapping library
|
||||
License: LGPL-3.0+
|
||||
Group: System/Libraries
|
||||
|
||||
%description -n libsss_certmap0
|
||||
A utility library for FreeIPA to map certs.
|
||||
|
||||
%package -n libsss_certmap-devel
|
||||
Summary: Development files for the FreeIPA certmap library
|
||||
License: LGPL-3.0+
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: libsss_certmap0 = %version
|
||||
|
||||
%description -n libsss_certmap-devel
|
||||
A utility library for FreeIPA to map certs.
|
||||
|
||||
%package -n libipa_hbac0
|
||||
Summary: FreeIPA HBAC Evaluator library
|
||||
License: LGPL-3.0+
|
||||
@ -409,6 +426,7 @@ export LDFLAGS="-pie"
|
||||
--with-os=suse \
|
||||
--with-semanage=no \
|
||||
--disable-ldb-version-check \
|
||||
--without-kcm \
|
||||
--without-secrets
|
||||
make %{?_smp_mflags} all
|
||||
|
||||
@ -487,14 +505,25 @@ rm -f /var/lib/sss/db/*.ldb
|
||||
%_mandir/??/man1/sss_ssh_*
|
||||
%_mandir/??/man5/sssd-simple.5*
|
||||
%_mandir/??/man5/sssd-sudo.5*
|
||||
%_mandir/??/man5/sssd.conf.5*
|
||||
#%_mandir/??/man5/sssd.conf.5*
|
||||
%_mandir/??/man8/sssd.8*
|
||||
%_mandir/??/man5/sss-certmap.5.gz
|
||||
%_mandir/??/man5/sssd-ad.5.gz
|
||||
%_mandir/??/man5/sssd-files.5.gz
|
||||
%_mandir/??/man5/sssd-secrets.5.gz
|
||||
%_mandir/??/man5/sssd.conf.5.gz
|
||||
%_mandir/??/man8/idmap_sss.8.gz
|
||||
%_mandir/??/man8/sssctl.8.gz
|
||||
%_mandir/??/man8/sssd-kcm.8.gz
|
||||
%_mandir/??/man5/sssd-simple.5*
|
||||
%_mandir/man1/sss_ssh_*
|
||||
%_mandir/man8/sssctl.8*
|
||||
%_mandir/man5/sssd-files.5*
|
||||
%_mandir/man5/sssd-simple.5*
|
||||
%_mandir/man5/sssd-sudo.5*
|
||||
%_mandir/man5/sssd.conf.5*
|
||||
%_mandir/man5/sss-certmap.5.gz
|
||||
%_mandir/man5/sssd-session-recording.5.gz
|
||||
%_mandir/man8/sssd.8*
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/conf/
|
||||
@ -643,7 +672,6 @@ rm -f /var/lib/sss/db/*.ldb
|
||||
%_sbindir/sss_useradd
|
||||
%_sbindir/sss_userdel
|
||||
%_sbindir/sss_usermod
|
||||
%_sbindir/sss_override
|
||||
%dir %_mandir/??/man8/
|
||||
%_mandir/??/man8/sss_*.8*
|
||||
%_mandir/man8/sss_*.8*
|
||||
@ -678,6 +706,17 @@ rm -f /var/lib/sss/db/*.ldb
|
||||
%_libdir/libipa_hbac.so
|
||||
%_libdir/pkgconfig/ipa_hbac.pc
|
||||
|
||||
%files -n libsss_certmap0
|
||||
%defattr(-,root,root)
|
||||
%_libdir/libsss_certmap.so
|
||||
%_libdir/libsss_certmap.so.0*
|
||||
|
||||
%files -n libsss_certmap-devel
|
||||
%defattr(-,root,root)
|
||||
%_includedir/sss_certmap.h
|
||||
%_libdir/libsss_certmap.so
|
||||
%_libdir/pkgconfig/sss_certmap.pc
|
||||
|
||||
%files -n libnfsidmap-sss
|
||||
%defattr(-,root,root)
|
||||
%_libdir/libnfsidmap/
|
||||
|
Loading…
Reference in New Issue
Block a user