sssd.git/src/config/etc, branch python_api Unnamed repository; edit this file to name it for gitweb. Allow usage of enterprise principals 2013-04-22T13:33:40+00:00 Sumit Bose sbose@redhat.com 2013-03-25T16:41:19+00:00 edaa983d094c239c3e1ba667bcd20ed3934be3b8 Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842 
Enterprise principals are currently most useful for the AD provider and
hence enabled here by default while for the other Kerberos based
authentication providers they are disabled by default.

If additional UPN suffixes are configured for the AD domain the user
principal stored in the AD LDAP server might not contain the real
Kerberos realm of the AD domain but one of the additional suffixes which
might be completely randomly chooses, e.g. are not related to any
existing DNS domain. This make it hard for a client to figure out the
right KDC to send requests to.

To get around this enterprise principals (see
http://tools.ietf.org/html/rfc6806 for details) were introduced.
Basically a default realm is added to the principal so that the Kerberos
client libraries at least know where to send the request to. It is not
in the responsibility of the KDC to either handle the request itself,
return a client referral if he thinks a different KDC can handle the
request or return and error. This feature is also use to allow
authentication in AD environments with cross forest trusts.

Fixes https://fedorahosted.org/sssd/ticket/1842
DNS sites support - add IPA SRV plugin 2013-04-10T13:37:00+00:00 Pavel Březina pbrezina@redhat.com 2013-04-09T11:16:23+00:00 88275cccddf39892e01682b39b02292eb74729bd https://fedorahosted.org/sssd/ticket/1032 
https://fedorahosted.org/sssd/ticket/1032
Allow setting krb5_renew_interval with a delimiter 2013-04-03T11:33:21+00:00 Ariel Barria olivares73@hotmail.com 2013-03-27T21:04:06+00:00 1b171c456ff901ab622e44bcfd213f7de86fd787 https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters 
https://fedorahosted.org/sssd/ticket/902

changed the data type the krb5_renew_interval to string.
function krb5_string_to_deltat is used to convert and allow delimiters
ldap: Fallback option for rfc2307 schema 2013-03-20T10:49:50+00:00 Simo Sorce simo@redhat.com 2013-03-15T19:27:31+00:00 fae99bfe4bfc8b4a12e9c2a0ad01b3684c22f934 Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020 
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.

Disabled by default as it violates identity domain separation.

Ticket:
https://fedorahosted.org/sssd/ticket/1020
Make the SELinux refresh time configurable. 2013-03-19T16:50:53+00:00 Michal Zidek mzidek@redhat.com 2013-03-01T12:44:03+00:00 ba4378f49914e65a7d687a872d9b938173841154 Option ipa_selinux_refresh is added to basic ipa options. 
Option ipa_selinux_refresh is added to basic ipa options.
Add ignore_group_members option. 2012-11-15T19:03:27+00:00 Paul B. Henson henson@acm.org 2012-11-13T11:31:43+00:00 59f136cd254d1acf2991c97221eb08803784777d https://fedorahosted.org/sssd/ticket/1376 
https://fedorahosted.org/sssd/ticket/1376
SSSDConfig: Locate the force_timeout option in the correct sections 2012-11-08T10:12:25+00:00 Stephen Gallagher sgallagh@redhat.com 2012-11-05T15:56:34+00:00 9ab30382e69fbe7b3a8f0183d3c017b41a43c54d 






authconfig: allow chpass_provider = proxy
2012-10-30T14:36:10+00:00

Pavel Březina
pbrezina@redhat.com

2012-10-30T13:00:21+00:00

f46bf56b98d056ba44b267f033e58149b44ea519

https://fedorahosted.org/sssd/ticket/1611





https://fedorahosted.org/sssd/ticket/1611







Allow setting the default_shell option per-domain as well
2012-10-18T18:19:33+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-10-17T12:43:07+00:00

66318dfe1e7138ff3fc780c4b3f0b29c4b2d8712

https://fedorahosted.org/sssd/ticket/1583





https://fedorahosted.org/sssd/ticket/1583







Make TTL configurable for dynamic dns updates
2012-10-16T11:23:51+00:00

James Hogarth
james.hogarth@gmail.com

2012-08-14T09:54:34+00:00

4fb12db7504920d12ea7db71f312334c877bff7c