PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PROXY: Adding proxy_max_children option The new option 'proxy_max_children' is applicable in domain section. Default value is 10. Resolves: https://fedorahosted.org/sssd/ticket/3153 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MONITOR: Add disable_netlink option Adding a new monitor boolean option to disable netlink support. This will give users more control over sssd state changes without having to modify systemd unit files. Resolves: https://fedorahosted.org/sssd/ticket/3142 Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MONITOR: Remove the no longer used kill_service command After introducing the watchdog, the force_timeout option is no longer used. Resolves: https://fedorahosted.org/sssd/ticket/3052 Reviewed-by: Petr Čech <pcech@redhat.com>

Fixed some typos in man pages Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

MAN: Config file merging Related to: https://fedorahosted.org/sssd/ticket/2247 Explain configuration merging in sssd.conf man page. Signed-off-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com>

DEBUG: Add `debug` alias for debug_level Our users constantly make the mistake of typing `debug = 9` in the sssd.conf instead of `debug_level = 9` as would be correct. This happens frequently-enough that we should just alias it rather than continue to have people make mistakes. Resolves: https://fedorahosted.org/sssd/ticket/2999 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: add OCSP default responder options Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add no_verification option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add missing man page entry and config API The pam_cert_auth and pam_cert_db_path option where missing in the config API and had no man page entries. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: Remove duplicate description of the pam_account_locked_message option Reviewed-by: Pavel Reichl <preichl@redhat.com>

MAN: Move proxy_fast_alias to the correct man section The option was in the general section, belongs to the proxy section. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: Move subdomain_inherit to the correct man section The option was in the general section, belongs to the domain section. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

subdomains: inherit ldap_krb5_keytab If a non-default keytab is configured for the parent domain the subdomains will still use the default keytab because the alternative keytab is not inherited. As a consequence SSSD might not be able to connect to services in the subdomain because the default keytab is either not present or does not have suitable keys. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Fix man for pam_account_{expired,locked}_message Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Pass account lockout status and display message Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE Fixes: https://fedorahosted.org/sssd/ticket/2787 We already mention SSS_NSS_USE_MEMCACHE in sssd(8) but it makes sense to note it in sssd.conf(5) together with the memcache_timeout. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Clarify that subdomain_inherit only works for IPA and AD Resolves: https://fedorahosted.org/sssd/ticket/2683 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

man: Note filter_groups are not affecting nesting Note that the "filter_groups" option doesn't affect nested member inheritance, on the sssd.conf(5) manpage. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

man: Mention groups in filter_groups description Mention groups (not only users) in the combined "filter_users"/"filter_groups" option description on the sssd.conf(5) manpage. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: proxy and krb5 are valid access control modules Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

MAN: Clarify pam_trusted_users option description Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: Make p11_child timeout configurable Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

Remove trailing whitespace Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

ssh: generate public keys from certificate Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor typos Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

UTIL: Inherit ignore_group_members Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>

confdb: Add new option subdomain_inherit Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>

MAN: refresh_expired_interval also supports users and groups Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add cache_credentials_minimal_first_factor_length config option Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: default_domain_suffix with use_fully_qualified_names. https://fedorahosted.org/sssd/ticket/2569 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

MAN: add dots as valid character in domain names Add dots into a set of allowed characters for domain names. Resolves: https://fedorahosted.org/sssd/ticket/2527 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Amend the description of ignore_group_members The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se> Reviewed-by: Pavel Reichl <preichl@redhat.com>

MAN: Remove indentation in element programlistening The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>

MAN: Misspelled username in pam_trusted_users is not fatal The man page claimed that failing to resolve an user name results in failure to start SSSD, but it's not the case and shouldn't be, because marking a user as trusted only elevates privileges, so it's safe to ignore that failure. https://fedorahosted.org/sssd/ticket/2530 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Man: debug_timestamps and debug_microseconds Add note that these two options are ignored if journald is used. https://fedorahosted.org/sssd/ticket/2498 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAN: Update case_sensitive=Preserving in man pages. https://fedorahosted.org/sssd/ticket/2462

nss: parse user_attributes option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Possibility to use any shells in 'allowed_shells' Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

SSSD: Load a user to run a service as from configuration Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: AD is allowed value of subdomains_provider https://fedorahosted.org/sssd/ticket/2442 Reviewed-by: Pavel Reichl <preichl@redhat.com>

SSS_CACHE: Allow sss_cache tool to flush SSH hosts cache Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

Replace space: add some checks This patch adds some additional checks if the option for replacing spaces in user and group names is used. When replacing space with the replacement character it is checked if the name already contains the replacement character. If it does the unmodified name is returned because in this case a revers operation would not be possible. For the reverse operation is it checked if the input contains both a space and the replacement character. If this is true the unmodified name is returned as well, because we have to assume that it is the original name because otherwise it wouldn't contain both characters. Additionally a shortcut if the replacement characters is a space and tests for the new checks are added. The man page is updated accordingly. Related to https://fedorahosted.org/sssd/ticket/1854 and https://fedorahosted.org/sssd/ticket/2397 . Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make the space override responder-agnostic https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Only replace space with the specified substitution https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MAN: offline_timeout Amend the man page to reflect current behaviour. https://fedorahosted.org/sssd/ticket/2401 Reviewed-by: Dan Lavu <dlavu@redhat.com>

MAN: case_sensitivity man page update Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

NSS: Replace spaces with specified string in names. This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

MAN: local auth_provider is not documented in sssd.conf https://fedorahosted.org/sssd/ticket/2359 Reported by Stephan Mueller. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: Add reference to manual page sssd-sudo Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

man: clarify refresh_expired_interval https://fedorahosted.org/sssd/ticket/2114 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.

MAN: new general options section Some options are relevant to multiple sections of sssd.conf. This patch adds new sections for those. Resolves: https://fedorahosted.org/sssd/ticket/2218 Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: AD provider This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAN: update of subdomain_homedir usage Resolves: https://fedorahosted.org/sssd/ticket/2169

MAN: clarify which shell option takes precedence

MAN: Fix a typo

confdb: Make offline timeout configurable Added and documented option offline_timeout. Resolves: https://fedorahosted.org/sssd/ticket/1718

MAN: Document that sss_cache should be run after changing the cache timeout

Add a new option to control subdomain enumeration

Netgroups should ignore the 'use_fully_qualified_names' setting Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013

Set default DNS resolution timeout to 6 seconds. Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly.

MAN: Clarify the min_id/max_id limits further https://fedorahosted.org/sssd/ticket/2005 Some users were confused by our description of min_id/max_id and thought the limits only applied to returning entries from the NSS responder. However, the limits are actually enforced on the back end side, so the entries are not even saved to cache.

Fix minor typos

back end: add refresh expired records periodic task https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.

Enhance PAC responder for AD users This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558

Allow flat name in the FQname format https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.

Add a domain config attribute for realmd realmd needs to be able to tag various domains with basic info when it configures a domain.

AD: read flat name and SID of the AD domain For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468

Document the naming convention for SSSD domains https://fedorahosted.org/sssd/ticket/1809

Allow using flatname for subdomain home dir template https://fedorahosted.org/sssd/ticket/1609

Put the override_homedir into an included xml file The description was duplicated on two places, leading to errors where one was amended but the other was not.

NSS: Add original homedir to home directory template options https://fedorahosted.org/sssd/ticket/1805

MAN: Clarify that saving users after enumerating large domain might be CPU intensive https://fedorahosted.org/sssd/ticket/1732

MAN: Move ssh_known_hosts_timeout documentation to the correct section

MAN: quotation fix I noticed that the proxy in auth_provider section of sssd.conf manpage isn't quoted when all others are.

Add ignore_group_members option. https://fedorahosted.org/sssd/ticket/1376

Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613

MAN: Specify the correct location for the force_timeout option

Allow setting the default_shell option per-domain as well https://fedorahosted.org/sssd/ticket/1583

MAN: improve wording of default_domain parameter

Fix typos

man: Note that automounter must be restarted to re-read the master map https://fedorahosted.org/sssd/ticket/1563

SSH: Expire hosts in known_hosts

Add man page section about provider specific re_expression Fixes: https://fedorahosted.org/sssd/ticket/1525

Add new option default_domain_suffix

autofs, sudo, ssh and PAC are not experimental anymore

Document entry_cache_autofs_timeout

Fix various typos in documentation.

Renamed session provider to selinux provider

NSS: Add override_shell option If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087

MAN: Improvements to the AD provider manpage Add information about ID mapping (including how to disable it) as well as information on how to handle homedir and shell. https://fedorahosted.org/sssd/ticket/1433

MAN: List all available backends for provider options https://fedorahosted.org/sssd/ticket/1432

Fix typo: exhasution->exhaustion.

pac responder: limit access by checking UIDs A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382

MAN: Unify "SEE ALSO" sections

sudo: manpage updated Removes old options and adds new ones.

Set default for subdomain_homedir

Add man page section for the PAC responder

Make the client idle timeout configurable

Clarify how comments work in sssd.conf

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

Allow fast memcache timeout to be configurable https://fedorahosted.org/sssd/ticket/1318

Fix typos in message and man pages.

Bad check for id_provider=local and access_provider=permit documentation-access_provider Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

NSS: Add default_shell option This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289

NSS: Add fallback_homedir option This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250

Clearer documentation for use_fully_qualified_names * Previously only the side effect was described.

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.

SSH: Add support for hashed known_hosts https://fedorahosted.org/sssd/ticket/1203

New config option for subdomains subdomain_homedir - if set, it contains default value, can be overriden in further processing

data provider: added subdomains

Responder part of the subdomain retrieval work

Fix typo: retreiving->retrieving

Two manual pages fixes

Make the monitor SIGKILL time configurable https://fedorahosted.org/sssd/ticket/1119

proxy: new option proxy_fast_alias

MAN: document the hostid and autofs providers

MAN: timeout can be specified for services, too

Remove the "command" option from documentation It is a low-level developer option not indended to be consumed by users https://fedorahosted.org/sssd/ticket/1174

RESPONDERS: Make the fd_limit setting configurable This code will now attempt first to see if it has privilege to set the value as specified, and if not it will fall back to the previous behavior. So on systems with the CAP_SYS_RESOURCE capability granted to SSSD, it will be able to ignore the limits.conf hard limit. https://fedorahosted.org/sssd/ticket/1197

fix typos in manual

Man pages for the session target and SELinux user maps fetching

AUTOFS: responder

Fixes for sudo_timed https://fedorahosted.org/sssd/ticket/1116

SUDO Integration - in-memory cache in responder New sudo responder option: cache_timeout https://fedorahosted.org/sssd/ticket/1111

NSS: Add individual timeouts for entry types https://fedorahosted.org/sssd/ticket/1016

Include sudo manual pages only conditionally

SUDO Integration - manual page https://fedorahosted.org/sssd/ticket/1109

Use the case sensitivity flag in responders

Fix typos in manual pages

Enable the midpoint cache update by default https://fedorahosted.org/sssd/ticket/918

MAN: Add more information about internal credential storage

DEBUG timestamps offer higher precision - man page updated https://fedorahosted.org/sssd/ticket/956

Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980

New DEBUG facility - man pages https://fedorahosted.org/sssd/ticket/925 Modified sssd and sssd.conf man pages to reflect new levels. Added new man include: include/debug_levels.xml

Add vetoed_shells option There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add new options to override shell value https://fedorahosted.org/sssd/ticket/742

Add a new option to override home directory value https://fedorahosted.org/sssd/ticket/551

Add a new option to override primary GID number https://fedorahosted.org/sssd/ticket/742

Add pam_pwd_expiration_warning config option

Fix manpage typos

Update the ID cache for any PAM request Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749

Start first enumeration immediately Previously, we would wait for ten seconds before starting an enumeration. However, this meant that on the first startup (before we had run our first enumeration) there was a ten-second window where clients would immediately get back a response with no entries instead of blocking until the enumeration completed. With this patch, SSSD will now run an enumeration immediately upon startup. Further startups will retain the ten-second delay so as not to slow down system bootups. https://fedorahosted.org/sssd/ticket/616

Introduce pam_verbosity config option Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.

Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip. For the time being, if krb5_server is not found, still falls back to krb5_kdcip with a warning. If both options are present in config file, krb5_server has a higher priority. Fixes: #543

Man pages should mention supported providers Each back end can support id, auth or access provider, but each back end supports different subset of these. Man pages should describe which providers are supported by each back end. Ticket: #615

Add try_inotify option There are some special cases where inotify cannot be used, even if the host OS claims that it is supported. In these cases, it should be possible to explicitly disable the use of inotify. https://fedorahosted.org/sssd/ticket/484

Add dns_discovery_domain option The service discovery used to use the SSSD domain name to perform DNS queries. This is not an optimal solution, for example from the point of view of authconfig. This patch introduces a new option "dns_discovery_domain" that allows to set the domain part of a DNS SRV query. If this option is not set, the default behavior is to use the domain part of the machine's hostname. Fixes: #479

Change default min_id to 1 Also update manpage for min_id/max_id to be more clear about how it relates to primary GID.

Man page fixes Fixes: #496

Add enumerate details to the manpage and examples

Add dns_resolver_timeout option We had a hard-coded timeout of five seconds for DNS lookups in the async resolver. This patch adds an option 'dns_resolver_timeout' to specify this value (Default: 5)

Add userdel_cmd param Fixes: #231

Add simple access provider

Make filter_users and filter_groups also per-domain Fixes: #290

Fix check for values of expiration limits There were inconsistencies between what sssd.conf manpage said and what the code enforces.

Better cleanup task handling Implements a different mechanism for cleanup task. Instead of just deleting expired entries, this patch adds a new option account_cache_expiration for domains. If an entry is expired and the last login was more days in the past that account_cache_expiration, the entry is deleted. Groups are deleted if they are expired and and no user references them (no user has memberof: attribute pointing at that group). The parameter account_cache_expiration is not LDAP-specific, so that other future backends might use the same timeout setting. Fixes: #391

Revert "Change default for enumeration to TRUE" This reverts commit 75a9f18ad8ac6e885ac34cdeebc4d8f8734713f8.

Do not check entries during cleanup task Do not attempt to validate expired entries in cache, just delete them. Also increase the cache timeouts. Fixes: #331

Restrict family lookups Adds a new option that tells resolver which address family to prefer or use exclusively. Fixes: #404

Rename server/ directory to src/ Also update BUILD.txt