SSSD 1.15.2
Highlights
- It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this:
[domain/ipa.test]
# IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test]
ad_server = dc.win.test
- Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged userm were fixed. The NSS service now doesn't change the ownership of its log files to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
- A new option
cache_first
allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap. - The SSSD D-Bus interface gained two new methods:
FindByNameAndCertificate
andListByCertificate
. These methods will be used primarily by IPA and mod_lookup_identity to correctly match multple users who use the same certificate for Smart Card login. - A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.
Packaging Changes
None in this release
Documentation Changes
- A new option
cache_first
was added. Please see the Highlights section for more details - The
override_homedir
option supports a new template expansionl
that expands to the first letter of username