forked from jengelh/sssd
Jan Engelhardt
0634651aa9
- Update to new upstream release 1.11.3 OBS-URL: https://build.opensuse.org/request/show/212033 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=106
523 lines
21 KiB
Plaintext
523 lines
21 KiB
Plaintext
-------------------------------------------------------------------
|
|
Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.11.3
|
|
* The AD provider is able to resolve group memberships for groups
|
|
with Global and Universal scope
|
|
* The initgroups (get groups for user) operation for users from
|
|
trusted AD domains was made more reliable by reading the required
|
|
tokenGroups attribute from LDAP instead of Global Catalog
|
|
* A new option ad_enable_gc was added to the AD provider. This
|
|
option allows the administrator to force SSSD to talk to LDAP
|
|
port only and never try the Global Catalog
|
|
* The AD provider is now able to leverage the tokenGroups attribute
|
|
even when POSIX attributes are used, providing better performance
|
|
during logins.
|
|
* A memory leak in the NSS responder that affected long-lived
|
|
clients that requested netgroup data was fixed
|
|
- Remove sssd-ldflags.diff (merged upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com
|
|
|
|
- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.11.2
|
|
* A new option ad_access_filter was added. This option allows the
|
|
administrator to easily configure LDAP search filter that the users
|
|
logging in must match in order to be granted access.
|
|
* The Kerberos provider will no longer try to create public
|
|
directories when evaluating the krb5_ccachedir option.
|
|
- Remove 0005-implicit-decl.diff (merged upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.11.0
|
|
* The sudo integration was made more robust. SSSD is now able to
|
|
gracefully handle situations where it is not able to resolve the
|
|
client host name or sudo rules have multiple name attributes.
|
|
* Several nested group membership bugs were fixed
|
|
* The PAC responder was made more robust and efficient, modifying
|
|
existing cache entries instead of always recreating them.
|
|
* The Kerberos provider now supports the new KEYRING ccache type.
|
|
- Remove sssd-no-ldb-check.diff, now implemented through a
|
|
configure argument --disable-ldb-version-check
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de
|
|
|
|
- Explicitly formulate SASL BuildRequires
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.9.5
|
|
* Includes a fix for CVE-2013-0287: A simple access provider flaw
|
|
prevents intended ACL use when SSSD is configured as an Active
|
|
Directory client.
|
|
* Fixed spurious password expiration warning that was printed on
|
|
login with the Kerberos back end.
|
|
* A new option ldap_rfc2307_fallback_to_local_users was added. If
|
|
this option is set to true, SSSD is be able to resolve local
|
|
group members of LDAP groups.
|
|
* Fixed an indexing bug that prevented the contents of autofs maps
|
|
from being returned to the automounter deamon in case the map
|
|
contained a large number of entries.
|
|
* Several fixes for safer handling of Kerberos credential caches
|
|
for cases where the ccache is set to be stored in a DIR: type.
|
|
- Remove Provide-a-be_get_account_info_send-function.patch,
|
|
Add-unit-tests-for-simple-access-test-by-groups.patch,
|
|
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch,
|
|
Resolve-GIDs-in-the-simple-access-provider.patch
|
|
(CVE-2013-0287 material is in upstream),
|
|
sssd-sysdb-binary-attrs.diff (merged upstream)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de
|
|
|
|
- Implement signature verification
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com
|
|
|
|
- Fixed security issue: CVE-2013-0287 (bnc#809153):
|
|
When SSSD is configured as an Active Directory client by using
|
|
the new Active Directory provider or equivalent configuration
|
|
of the LDAP provider, the Simple Access Provider does not
|
|
handle access control correctly. If any groups are specified
|
|
with the simple_deny_groups option, the group members are
|
|
permitted access. New patches:
|
|
* Provide-a-be_get_account_info_send-function.patch
|
|
* Add-unit-tests-for-simple-access-test-by-groups.patch
|
|
* Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
|
|
* Resolve-GIDs-in-the-simple-access-provider.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de
|
|
|
|
- Resolve user retrieval problems when encountering binary data
|
|
in LDAP attributes (bnc#806078),
|
|
added sssd-sysdb-binary-attrs.diff
|
|
- Added sssd-no-ldb-check.diff so that SSSD continues to start
|
|
even after an LDB update.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com
|
|
|
|
- fix package name in baselibs.conf (bnc#796423)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com
|
|
|
|
- update to 1.9.4 (bnc#801036):
|
|
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race
|
|
conditions when creating or removing home directories for users
|
|
in local domain
|
|
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds
|
|
reads in autofs and ssh responder
|
|
* The sssd_pam responder processes pending requests after
|
|
reconnect
|
|
* A serious memory leak in the NSS responder was fixed
|
|
* Requests that were processing group entries with DNs pointing
|
|
out of any configured search bases were not terminated
|
|
correctly, causing long timeouts
|
|
* Kerberos tickets are correctly renewed even after SSSD daemon
|
|
restart
|
|
* Multiple fixes related to SUDO integration, in particular
|
|
fixing functionality when the sssd back end process was
|
|
changing its online/offline status
|
|
* The pwd_exp_warning option was fixed to function as documented
|
|
in the manual page
|
|
- refreshed sssd-ldflags.diff to apply cleanly
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com
|
|
|
|
- Removed left-over "Requires" for no longer existing sssd-client
|
|
subpackage.
|
|
- New patch: sssd-ldflags.diff to fix link failures due to erroneous
|
|
LDFLAGS usage
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com
|
|
|
|
- Switch back to using libcrypto instead of mozilla-nss as it seems
|
|
to be supported upstream again, cf.
|
|
https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html
|
|
- Cleanup PAM configuration after uninstalling sssd (bnc#788328)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.9.3
|
|
* Many fixes related to deployments where the SSSD is running as
|
|
a client of IPA server with trust relation established with an
|
|
Active Directory server
|
|
* Multiple fixes related to correct reporting of group
|
|
memberships, especially in setups that use nested groups
|
|
* Fixed a bug that prevented upgrade from the 1.8 series if the
|
|
cache contained nested groups before the upgrade
|
|
* Restarting the responders is more robust for cases where the
|
|
machine is under heavy load during back end restart
|
|
* The default_shell option can now be also set per-domain in
|
|
addition to global setting.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.9.2
|
|
* Users or groups from trusted domains can be retrieved by UID or
|
|
GID as well
|
|
* Several fixes that mitigate file descriptor leak during logins
|
|
* SSH host keys are also removed from the cache after being
|
|
removed from the server
|
|
* Fix intermittent crash in responders if the responder was
|
|
shutting down while requests were still pending
|
|
* Catch an error condition that might have caused a tight loop in
|
|
the sssd_nss process while refreshing expired enumeration request
|
|
* Fixed memory hierarchy of subdomains discovery requests that
|
|
caused use-after-free access bugs
|
|
* The krb5_child and ldap_child processes can print libkrb5 tracing
|
|
information in the debug logs
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.8.93 (1.9.0~beta3)
|
|
* Add native support for autofs to the IPA provider
|
|
* Support for id mapping when connecting to Active Directory
|
|
* Support for handling very large (> 1500 users) groups in
|
|
Active Directory
|
|
* Add a new fast in-memory cache to speed up lookups of cached data
|
|
on repeated requests
|
|
* Add support for the Kerberos DIR cache for storing multiple TGTs
|
|
automatically
|
|
* Add a new PAC responder for dealing with cross-realm Kerberos
|
|
trusts
|
|
* Terminate idle connections to the NSS and PAM responders
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de
|
|
|
|
- Update to new upstream release 1.8.3
|
|
* LDAP: Handle situations where the RootDSE is not available
|
|
anonymously
|
|
* LDAP: Fix regression for users using non-standard LDAP attributes
|
|
for user information
|
|
- Switch from openssl to mozilla-nss, as this is the officially
|
|
supported crypto integration
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
- Fix build error on SLES 11 builds
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
- Add suse_version condition for glib over libunistring for
|
|
SLES 11 SP2.
|
|
- Update to new upstream release 1.8.2
|
|
* Fix for GSSAPI binds when the keytab contains unrelated
|
|
principals
|
|
* Workarounds added for LDAP servers with unreadable RootDSE
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
- Update to new upstream release 1.8.1
|
|
* Resolve issue where we could enter an infinite loop trying to
|
|
connect to an auth server
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
|
|
|
|
- Update to new upstream release 1.8.0
|
|
* Support for the service map in NSS
|
|
* Support for setting default SELinux user context from FreeIPA
|
|
* Support for retrieving SSH user and host keys from LDAP
|
|
* Support for caching autofs LDAP requests
|
|
* Support for caching SUDO rules
|
|
* Include the IPA AutoFS provider
|
|
* Fixed several memory-corruption bugs
|
|
* Fixed a regression in the proxy provider
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de
|
|
|
|
- Fixed systemd related packaging issues (bnc#724157)
|
|
- fixed build on older openSUSE releases
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Resolve "have choice for libnl-devel:
|
|
libnl-1_1-devel libnl3-devel"
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de
|
|
|
|
- Fixed typos in configure args
|
|
- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
|
|
- switched to fd-leak fix cherry-picked from 1.5 branch
|
|
- Add /usr/sbin to the search path to make configure find nscd
|
|
(bnc#709747)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Add patches to fix an fd leak in sssd_pam
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Update to new upstream release 1.5.11
|
|
* Support for overriding home directory, shell and primary GID
|
|
locally
|
|
* Properly honor TTL values from SRV record lookups
|
|
* Support non-POSIX groups in nested group chains (for RFC2307bis
|
|
LDAP servers)
|
|
* Properly escape IPv6 addresses in the failover code
|
|
* Do not crash if inotify fails (e.g. resource exhaustion)
|
|
- Remove redundant %clean section; delete .la files more
|
|
efficiently
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de
|
|
|
|
- Update to 1.5.8:
|
|
* Support for the LDAP paging control
|
|
* Support for multiple DNS servers for name resolution
|
|
* Fixes for several group membership bugs
|
|
* Fixes for rare crash bugs
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de
|
|
|
|
- Update to 1.5.7
|
|
* A flaw was found in the handling of cached passwords when
|
|
kerberos renewal tickets is enabled. Due to a bug, the cached
|
|
password was overwritten with a (moderately) predictable
|
|
filename, which could allow a user to authenticate as someone
|
|
else if they knew the name of the cache file (bnc#691135,
|
|
CVE-2011-1758)
|
|
- Changes in 1.5.6:
|
|
* Fixed a serious memory leak in the memberOf plugin
|
|
* Fixed a regression with the negative cache that caused it to be
|
|
essentially nonfunctional
|
|
* Fixed an issue where the user's full name would sometimes be
|
|
removed from the cache
|
|
* Fixed an issue with password changes in the kerberos provider
|
|
not working with kpasswd
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de
|
|
|
|
- Update to 1.5.5
|
|
* Fixes for several crash bugs
|
|
* LDAP group lookups will no longer abort if there is a
|
|
zero-length member attribute
|
|
* Add automatic fallback to 'cn' if the 'gecos' attribute does not
|
|
exist
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de
|
|
|
|
- Should build in SLE-11-SP1 now
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de
|
|
|
|
- Updated to 1.5.4
|
|
* Fixes for Active Directory when not all users and groups have
|
|
POSIX attributes
|
|
* Fixes for handling users and groups that have name aliases
|
|
(aliases are ignored)
|
|
* Fix group memberships after initgroups in the IPA provider
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de
|
|
|
|
- Updated to 1.5.3
|
|
* Support for libldb >= 1.0.0
|
|
* Proper detection of manpage translations
|
|
* Changes between 1.5.1 and 1.5.2
|
|
* Fixes for support of FreeIPA v2
|
|
* Fixes for failover if DNS entries change
|
|
* Improved sss_obfuscate tool with better interactive mode
|
|
* Fix several crash bugs
|
|
* Don't attempt to use START_TLS over SSL. Some LDAP servers
|
|
can't handle this
|
|
* Delete users from the local cache if initgroups calls return
|
|
'no such user' (previously only worked for getpwnam/getpwuid)
|
|
* Use new Transifex.net translations
|
|
* Better support for automatic TGT renewal (now survives
|
|
restart)
|
|
* Netgroup fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de
|
|
|
|
- Updated to 1.5.1
|
|
* Vast performance improvements when enumerate = true
|
|
* All PAM actions will now perform a forced initgroups lookup
|
|
instead of just a user information lookup This guarantees that
|
|
all group information is available to other providers, such as
|
|
the simple provider.
|
|
* For backwards-compatibility, DNS lookups will also fall back to
|
|
trying the SSSD domain name as a DNS discovery domain.
|
|
* Support for more password expiration policies in LDAP
|
|
- 389 Directory Server
|
|
- FreeIPA
|
|
- ActiveDirectory
|
|
* Support for ldap_tls_{cert,key,cipher_suite} config options
|
|
* Assorted bugfixes
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de
|
|
|
|
- /var/lib/sss/pubconf was missing (bnc#665442)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de
|
|
|
|
- It was possible to make sssd hang forever inside a loop in the
|
|
PAM responder by sending a carefully crafted packet to sssd.
|
|
This could be exploited by a local attacker to crash sssd and
|
|
prevent other legitimate users from logging into the system.
|
|
(bnc#660481, CVE-2010-4341)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de
|
|
|
|
- Own /etc/systemd directories to fix build.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com
|
|
|
|
- install systemd service file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com
|
|
|
|
- Updated to 1.4.1
|
|
* Add support for netgroups to the LDAP and proxy providers
|
|
* Fixes a minor bug with UIDs/GIDs >= 2^31
|
|
* Fixes a segfault in the kerberos provider
|
|
* Fixes a segfault in the NSS responder if a data provider crashes
|
|
* Correctly use sdap_netgroup_search_base
|
|
* the utility libraries libpath_utils1, libpath_utils-devel,
|
|
libref_array1 and libref_array-devel moved to their own
|
|
separate upstream project (ding-libs)
|
|
* Performance improvements made to group processing of RFC2307
|
|
LDAP servers
|
|
* Fixed nested group issues with RFC2307bis LDAP servers without
|
|
a memberOf plugin
|
|
* Manpage reviewed and updated
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com
|
|
|
|
- remove hard coded python version
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com
|
|
|
|
- No dependencies on %{release}
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com
|
|
|
|
- Updated to 1.3.1
|
|
* Fixes to the HBAC backend for obsolete or removed HBAC entries
|
|
* Improvements to log messages around TLS and GSSAPI for LDAP
|
|
* Support for building in environments using --as-needed LDFLAGS
|
|
* Vast performance improvement for initgroups on RFC2307 LDAP servers
|
|
* Long-running SSSD clients (e.g. GDM) will now reconnect properly to the
|
|
daemon if SSSD is restarted
|
|
* Rewrote the internal LDB cache API. As a synchronous API it is now faster
|
|
to access and easier to work with
|
|
* Eugene Indenbom contributed a sizeable amount of code to the LDAP provider
|
|
- We now handle failover situations much more reliably than we did
|
|
previously
|
|
- We also will now monitor the GSSAPI kerberos ticket and automatically
|
|
renew it when appropriate, instead of waiting for a connection to fail
|
|
* Support for netlink now allows us to more quickly detect situations
|
|
where we may have come online
|
|
* New option "dns_discovery_domain" allows better configuration for
|
|
using SRV records for failover
|
|
- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1
|
|
and libref_array-devel
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com
|
|
|
|
- Package pam- and nss-Modules as baselibs
|
|
- cleaned up file list and dependencies
|
|
- fixed init script dependencies
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com
|
|
|
|
- Updated to 1.1.0
|
|
* Support for IPv6
|
|
* Support for LDAP referrals
|
|
* Offline failed login counter
|
|
* Fix for the long-standing cache cleanup performance issues
|
|
* libini_config, libcollection, libdhash, libref_array and
|
|
libpath_utils are now built as shared libraries for general
|
|
consumption (libref_array and libpath_utils are currently not
|
|
packaged, as no component in sssd links against them)
|
|
* Users get feedback from PAM if they authenticated offline
|
|
* Native local backend now has a utility to show nested memberships
|
|
(sss_groupshow)
|
|
* New "simple" access provider for easy restriction of users
|
|
- Backported libcrypto support from master to avoid Mozilla NSS
|
|
dependency
|
|
- Backported password policy improvments for LDAP provider from
|
|
master
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com
|
|
|
|
- use logfiles for debug messages by default
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com
|
|
|
|
- subpackages for commandline tools, ipa-provider plugin and
|
|
python API
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com
|
|
|
|
- Updated to 1.0.5. Highlights:
|
|
* Removed some dead code (libreplace
|
|
* Clarify licenses throughout the code
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com
|
|
|
|
- Updated to 1.0.4
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com
|
|
|
|
- Update to 0.6.0
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com
|
|
|
|
- fix LDAP filter for initgroups() with rfc2307bis setups
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com
|
|
|
|
- initial package submission
|
|
|