SSSD 2.0.0
Highlights
This release removes or deprecates functionality from SSSD, therefore the SSSD team decided it was time to bump the major version number. The sssd-1-16 branch will be still supported (most probably even as a LTM branch) so that users who rely on any of the removed features can either migrate or ask for the features to be readded.
Except for the removed features, this release contains a reworked internal IPC and a new default storage back end for the KCM responder.
Platform support removal
- Starting with SSSD 2.0, upstream no longer supports RHEL-6 and its derivatives. Users of RHEL-6 are encouraged to stick with the sssd-1-16 branch.
Removed features
- The Python API for managing users and groups in local domains (
id_provider=local
) was removed completely. The interface had been packaged as module calledpysss.local
- The LDAP provider had a special-case branch for evaluating group memberships with the RFC2307bis schema when group nesting was explicitly disabled. This codepath was adding needless additional complexity for little performance gain and was rarely used.
- The
ldap_groups_use_matching_rule_in_chain
andldap_initgroups_use_matching_rule_in_chain
options and the code that evaluated them was removed. Neither of these options provided a significant performance benefit and the code implementing these options was complex and rarely used.
Deprecated features
- The local provider (
id_provider=local
) and the command line tools to manage users and groups in the local domains, such assss_useradd
is not built by default anymore. There is a configure-time switch--enable-local-domain
you can use to re-enable the local domain support. However, upstream would like to remove the local domain completely in a future release. - The
sssd_secrets
responder is not packaged by default. The responder was meant to provide a REST API to access user secrets as well as a proxy to Custodia servers, but as Custodia development all but stopped and the local secrets handling so far didn't gain traction, we decided to not enable this code by default. This also means that the default SSSD configuration no longer requires libcurl and http-parser.
Changed default settings
- The
ldap_sudo_include_regexp
option changed its default value fromtrue
tofalse
. This means that wild cards in thesudoHost
LDAP attribute are no longer supported by default. The reason we changed the default was that the wildcard was costly to evaluate on the LDAP server side and at the same time rarely used.
New features
- The KCM responder has a new back end to store credential caches in a local database. This new back end is enabled by default and actually uses the same storage as the
sssd-secrets
responder had used, so the switch from sssd-secrets to this new back end should be completely seamless. Thesssd-secrets
socket is no longer required for KCM to operate. - The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option
pam_p11_allowed_services
.
Packaging Changes
- The
sss_useradd
,sss_userdel
,sss_usermod
,sss_groupadd
,sss_groupdel
,sss_groupshow
andsss_groupmod
binaries and their manual pages are no longer packaged by default unless--enable-local-provider
is selected. - The sssd_secrets responder is no longer packaged by default unless
--enable-secrets-responder
is selected. - The new internal IPC mechanism uses several private libraries that need to be packaged -
libsss_sbus.so
,libsss_sbus_sync.so
,libsss_iface.so
,libsss_iface_sync.so
,libifp_iface.so
andlibifp_iface_sync.so
- The new KCM ccache back end relies on a private library
libsss_secrets.so
that must be packaged in case either the KCM responder or the secrets responder are enabled.
Documentation Changes
- The
ldap_groups_use_matching_rule_in_chain
andldap_initgroups_use_matching_rule_in_chain
options were removed. - The
ldap_sudo_include_regexp
option changed its default value fromtrue
tofalse
.
Known issues
- <#4802 The sbus codegen script relies on "python" which might not be available on all distributions
- There is a script that autogenerates code for the internal SSSD IPC. The script happens to call "python" which is not available on all distributions. Patching the
sbus_generate.sh
file to call e.g. python3 explicitly works around the issue