Accepting request 536206 from home:stroeder:branches:network:ldap

Update to new upstream release 1.16.0.

Successfully tested with Howard's test scripts on openSUSE Tumbleweed x86_64.

Build of man pages seems broken. But this is not caused by this sssd update because the man pages are already broken in sssd-tools-1.15.2-1.4 package in Tumbleweed.

OBS-URL: https://build.opensuse.org/request/show/536206
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=188

sssd.changes

@@ -1,3 +1,74 @@
+-------------------------------------------------------------------
+Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com
+
+- consequently use curly brackets when referencing variables
+- Update to new upstream release 1.16.0
+
+Security fixes
+ * This release fixes CVE-2017-12173: Unsanitized input when searching in
+   local cache database. SSSD stores its cached data in an LDAP like local
+   database file using libldb. To lookup cached data LDAP search filters
+   like (objectClass=user)(name=user_name) are used. However, in
+   sysdb_search_user_by_upn_res(), the input was not sanitized and
+   allowed to manipulate the search filter for cache lookups. This would
+   allow a logged in user to discover the password hash of a different user.
+
+New Features
+ * SSSD now supports session recording configuration through tlog. This
+   feature enables recording of everything specific users see or type
+   during their sessions on a text terminal. For more information, see
+   the sssd-session-recording(5) manual page.
+ * SSSD can act as a client agent to deliver
+   Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
+   policies defined on an IPA server. Fleet Commander provides a
+   configuration management interface that is controlled centrally and
+   that covers desktop, applications and network configuration.
+ * Several new systemtap <https://sourceware.org/systemtap/> probes
+   were added into various locations in SSSD code to assist in
+   troubleshooting and analyzing performance related issues. Please see the
+   sssd-systemtap(5) manual page for more information.
+ * A new LDAP provide access control mechanism that allows to restrict
+   access based on PAM's rhost data field was added. For more details,
+   please consult the sssd-ldap(5) manual page, in particular the 
+   options ldap_user_authorized_rhost and the rhost value of
+   ldap_access_filter.
+
+-------------------------------------------------------------------
+Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com
+
+- Update to new upstream release 1.15.3 (KCM disabled)
+
+New Features
+  * In a setup where an IPA domain trusts an Active Directory domain,
+    it is now possible to define the domain resolution order
+    (see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names).
+  * Design page - Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>
+  * SSSD ships with a new service called KCM. This service acts as a
+    storage for Kerberos tickets when "libkrb5" is configured to use
+    "KCM:" in "krb5.conf".
+  * Design page - KCM server for SSSD <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>
+  * NOTE: There are several known issues in the "KCM" responder that
+    will be handled in the next release.
+  * Support for user and group resolution through the D-Bus interface and
+    authentication and/or authorization through the PAM interface even
+    for setups without UIDs or Windows SIDs present on the LDAP directory
+    side. This enhancement allows SSSD to be used together with apache
+    modules <https://github.com/adelton/mod_lookup_identity> to provide
+    identities for applications
+  * Design page - Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>
+  * SSSD ships a new public library called "libsss_certmap" that allows
+    a flexible and configurable way of mapping a certificate to a user
+    identity.
+  * Design page - Matching and Mapping Certificates <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>
+  * The Kerberos locator plugin can be disabled using an environment variable
+    "SSSD_KRB5_LOCATOR_DISABLE". Please refer to the
+    "sssd_krb5_locator_plugin" manual page for mode details.
+  * The "sssctl" command line tool supports a new command "user-checks"
+    that enables the administrator to check whether a certain user should be
+    allowed or denied access to a certain PAM service.
+  * The "secrets" responder now forwards requests to a proxy Custodia
+    back end over a secure channel.
+
 -------------------------------------------------------------------
 Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com