| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
|
|
The second bit of userAccountControl is used to determine if the account
is enabled or disabled. accountExpires is checked to see if the account
is expired.
|
|
|
|
|
|
|
|
Fixed several typos
|
|
|
|
|
|
|
|
Also adds an option to limit how often we check the ID provider,
so that conversations with multiple PAM requests won't update the
cache multiple times.
https://fedorahosted.org/sssd/ticket/749
|
|
Translated a couple of strings from manpages into Czech. Makes the
manpage translation patch testable.
|
|
Utilizes PO4A to extract translatable strings from Docbook XML sources
and allows translators to submit ordinary .PO files. PO4A then generates
translated Docbook documents that can be used to generate translated end
user documentation.
https://fedorahosted.org/sssd/ticket/297
|
|
https://fedorahosted.org/sssd/ticket/670
|
|
Previously, we would wait for ten seconds before starting an
enumeration. However, this meant that on the first startup (before
we had run our first enumeration) there was a ten-second window
where clients would immediately get back a response with no
entries instead of blocking until the enumeration completed.
With this patch, SSSD will now run an enumeration immediately upon
startup. Further startups will retain the ten-second delay so as
not to slow down system bootups.
https://fedorahosted.org/sssd/ticket/616
|
|
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
|
|
|
|
|
|
|
|
|
Two new options are added to the LDAP access provider to allow a broader
range of access control rules to be evaluated.
'ldap_access_order' makes it possible to run more than one rule. To keep
compatibility with older versions the default is 'filter'. This patch
adds a new rule 'expire'.
'ldap_account_expire_policy' specifies which LDAP attribute should be
used to determine if an account is expired or not. Currently only
'shadow' is supported which evaluates the ldap_user_shadow_expire
attribute.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/691
|
|
|
|
https://fedorahosted.org/sssd/ticket/665
|
|
Currently sssd does not support authentication via GSSAPI. I think it
is not necessary to support it, because if GSSAPI is possible Kerberos
should be use for authentication.
|
|
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
|
|
Also allow it to be disabled entirely
|
|
|
|
|
|
|
|
|
|
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
|
|
The <entity> can be one of user, group or netgroup. The references were removed
from example configuration and they were moved from section Configuration options
to section Advanced options.
Ticket: #607
|
|
|
|
|
|
|
|
Each back end can support id, auth or access provider, but each
back end supports different subset of these. Man pages should
describe which providers are supported by each back end.
Ticket: #615
|
|
When obfuscated password is used in config file, the LDAP backend
converts it back to clear text and uses it to authenticate to the
server.
|
|
A tool to add obfuscated passwords into the SSSD config file
|
|
Some config options updated, newly documented 12 new options.
|
|
There are some special cases where inotify cannot be used, even if
the host OS claims that it is supported. In these cases, it should
be possible to explicitly disable the use of inotify.
https://fedorahosted.org/sssd/ticket/484
|
|
The service discovery used to use the SSSD domain name to perform DNS
queries. This is not an optimal solution, for example from the point of
view of authconfig.
This patch introduces a new option "dns_discovery_domain" that allows to set
the domain part of a DNS SRV query. If this option is not set, the
default behavior is to use the domain part of the machine's hostname.
Fixes: #479
|
|
https://fedorahosted.org/sssd/ticket/542
|
|
The local domain has the magic private groups option set
unconditionally. Therefore, it does not make any sense to let user
configure the primary GID. As a side-effect, this fixes #522.
|
|
Fixes: #531
|
