SSSD 1.13.0

Highlights

• Support for separate prompts when using two-factor authentication was added
• Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
• The fast memory cache now also supports the initgroups operation.
• The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the cached_auth_timeout option in the sssd.conf manual page.
• The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type.
• Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
• Credential caching and Offline authentication are also available when using two-factor authentication
• Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
• The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
• The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task
• The Python bindings are now built for both Python2 and Python3
• The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option

Packaging Changes

• A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service.
• Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging
• All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
• The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu libssl-dev is now required to support certificate operations
• A new internal library libsss_cert.so is present in this release.
• The fast initgroups memcache is represented by a new file /var/lib/sss/mc/initgroups

Documentation Changes

• The ad_gpo_access_control option default has changed from permissive to enforcing
• The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task.
• A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details
• The cached authentication is controlled by new option cached_auth_timeout. By default the cached authentication is disabled.

See full release notes here.