SSSD 2.3.0
Highlights
New features
- SSSD can now handle
hosts
andnetworks
nsswitch databases (seeresolve_provider
option) - By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see
pam_initgroups_scheme
option) - OpenSSL is used as default crypto provider, NSS is deprecated
- Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see
ldap_sasl_mech
option) - Active Directory provider can now be configured to use only
ldaps
port (seead_use_ldaps
option) - SSSD now accepts host entries from GPO's security filter
- Format of debug messages has changed to be shorter and better sortable
- New debug level (
0x10000
) was added for low level ldb messages only (seesssd.conf
man page)
Packaging changes
- New configure option
--enable-gss-spnego-for-zero-maxssf
Documentation Changes
- Default value of
ldap_sasl_mech
has changed toGSS-SPNEGO
for AD provider - Return code of
pam_sss.so
are documented inpam_sss
manpage - Added option
ad_update_samba_machine_account_password
- Added option
ad_use_ldaps
- Added option
ldap_iphost_object_class
- Added option
ldap_iphost_name
- Added option
ldap_iphost_number
- Added option
ldap_ipnetwork_object_class
- Added option
ldap_ipnetwork_name
- Added option
ldap_ipnetwork_number
- Added option
ldap_iphost_search_base
- Added option
ldap_ipnetwork_search_base
- Added option
ldap_connection_expire_offset
- Added option
ldap_sasl_maxssf
- Added option
pam_initgroups_scheme
- Added option
entry_cache_resolver_timeout
- Added option
entry_cache_computer_timeout
- Added option
resolver_provider
- Added option
proxy_resolver_lib_name
- Minor text improvements