sssd.git/src/config/etc/sssd.api.d, branch simo_ccname sssd with jhrozek's patches IPA: Add a server mode option 2013-06-28T20:22:20+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-17T07:32:07+00:00 0249e8d37920f59fd70bdafa4f6706a05ae523c1 https://fedorahosted.org/sssd/ticket/1993 SSSD needs to know that it is running on an IPA server and should not look up trusted users and groups with the help of the extdom plugin but do the lookups on its own. For this a new boolean configuration option, is introduced which defaults to false but is set to true during ipa-server-install or during updates of the FreeIPA server if it is not already set. 
https://fedorahosted.org/sssd/ticket/1993

SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
Add now options ldap_min_id and ldap_max_id 2013-06-28T18:20:59+00:00 Sumit Bose sbose@redhat.com 2013-06-12T10:17:08+00:00 eceefd520802efe356d413a13247c5f68d8e27c8 Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided. 
Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.
A new option krb5_use_kdcinfo 2013-06-10T19:03:01+00:00 Jakub Hrozek jhrozek@redhat.com 2013-06-07T09:28:35+00:00 14452cd066b51e32ca0ebad6c45ae909a1debe57 https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf 
https://fedorahosted.org/sssd/ticket/1883

The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
Adding option to disable retrieving large AD groups. 2013-05-23T09:45:38+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-05-14T16:00:10+00:00 6263578b03a52b3ec3a2e33e097554241780fc20 This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823 
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"

https://fedorahosted.org/sssd/ticket/1823
AD: read flat name and SID of the AD domain 2013-05-07T12:12:06+00:00 Sumit Bose sbose@redhat.com 2013-05-02T18:28:30+00:00 4cdaf239d4504966bed8ecd5e3fa07def74c7302 For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468 
For various features either the flat/short/NetBIOS domain name or the
domain SID is needed. Since the responders already try to do a subdomain
lookup when and known domain name is encountered I added a subdomain
lookup to the AD provider which currently only reads the SID from the
base DN and the NetBIOS name from a reply of a LDAP ping. The results
are written to the cache to have them available even if SSSD is started
in offline mode. Looking up trusted domains can be added later.

Since all the needed responder code is already available from the
corresponding work for the IPA provider this patch fixes

https://fedorahosted.org/sssd/ticket/1468
SUDO: IPA provider 2013-05-03T17:59:40+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-04-24T18:26:40+00:00 b24e4bec819b29f1ec8e77083d4e7610c5dd9c77 This patch added auto configuration SUDO with ipa provider and compat tree. https://fedorahosted.org/sssd/ticket/1733 
This patch added auto configuration SUDO with ipa provider and compat tree.

https://fedorahosted.org/sssd/ticket/1733
DNS sites support - add AD SRV plugin 2013-05-02T14:48:12+00:00 Pavel Březina pbrezina@redhat.com 2013-04-16T13:41:33+00:00 a679f0167b646cffdae86546ed77e105576991b0 https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
Allow usage of enterprise principals 2013-04-22T13:33:40+00:00 Sumit Bose sbose@redhat.com 2013-03-25T16:41:19+00:00 edaa983d094c239c3e1ba667bcd20ed3934be3b8 Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842 
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.

If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.

To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.

Fixes https://fedorahosted.org/sssd/ticket/1842
DNS sites support - add IPA SRV plugin 2013-04-10T13:37:00+00:00 Pavel Březina pbrezina@redhat.com 2013-04-09T11:16:23+00:00 88275cccddf39892e01682b39b02292eb74729bd https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
Allow setting krb5_renew_interval with a delimiter 2013-04-03T11:33:21+00:00 Ariel Barria olivares73@hotmail.com 2013-03-27T21:04:06+00:00 1b171c456ff901ab622e44bcfd213f7de86fd787 https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters 
https://fedorahosted.org/sssd/ticket/902

changed the data type the krb5_renew_interval to string.
function krb5_string_to_deltat is used to convert and allow delimiters