| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
* Allows different user/domain qualified names for different
domains. For example Domain\User or user@domain.
* The global re_expression and full_name_format options remain
as defaults for the domains.
* Subdomains get the re_expression and full_name_format of
their parent domain.
https://bugzilla.redhat.com/show_bug.cgi?id=811663
|
|
https://fedorahosted.org/sssd/ticket/1318
|
|
This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.
https://fedorahosted.org/sssd/ticket/1289
|
|
This option is similar to override_homedir, except that it will
take effect only for users that do not have an explicit home
directory specified in LDAP.
https://fedorahosted.org/sssd/ticket/1250
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
|
https://fedorahosted.org/sssd/ticket/1203
|
|
subdomain_homedir - if set, it contains default value, can be overriden
in further processing
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1119
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1116
|
|
New sudo responder option: cache_timeout
https://fedorahosted.org/sssd/ticket/1111
|
|
https://fedorahosted.org/sssd/ticket/1016
|
|
https://fedorahosted.org/sssd/ticket/976
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/956
Added: --debug-microseconds=0/1
Added: debug_microseconds to sssd.conf
|
|
Adds a configure option to set the distribution default as well as
an sssd.conf option to override it.
https://fedorahosted.org/sssd/ticket/980
|
|
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
https://fedorahosted.org/sssd/ticket/551
|
|
https://fedorahosted.org/sssd/ticket/742
|
|
|
|
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
|
This is useful so that the NSS responder can identify an domain's
entry timeout for expiring the memory cache for a lookup such as
with netgroups.
|
|
When we changed the default min_id to be 1, we forgot about the local
domain. It makes sense to keep the minimum id larger there.
|
|
There are some special cases where inotify cannot be used, even if
the host OS claims that it is supported. In these cases, it should
be possible to explicitly disable the use of inotify.
https://fedorahosted.org/sssd/ticket/484
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
Also update manpage for min_id/max_id to be more clear about how
it relates to primary GID.
|
|
We had a hard-coded timeout of five seconds for DNS lookups in the
async resolver. This patch adds an option 'dns_resolver_timeout'
to specify this value (Default: 5)
|
|
Fixes: #231
|
|
|
|
Implements a different mechanism for cleanup task. Instead of just
deleting expired entries, this patch adds a new option
account_cache_expiration for domains. If an entry is expired and the last
login was more days in the past that account_cache_expiration, the entry is
deleted.
Groups are deleted if they are expired and and no user references them
(no user has memberof: attribute pointing at that group).
The parameter account_cache_expiration is not LDAP-specific, so that other
future backends might use the same timeout setting.
Fixes: #391
|
|
Adds a new option that tells resolver which address family to prefer or
use exclusively.
Fixes: #404
|
|
Kerberos-specific options are pulled using dp_get_opts() and defined
in Kerberos subtree. There is no need to keep these in confdb.
|
