Chapter 1. Authentication

Directory Server supports configurable normalized DN cache

This update provides better performance for plug-ins such as memberOf and for operations which update entries with many DN syntax attributes. The newly implemented configurable normalized DN cache makes DN handling by the server more efficient.

SSSD displays password expiration warnings when using non-password authentication

Previously, SSSD could only verify password validity during the authentication phase. When a non-password authentication method was used, such as during SSH login, SSSD was not called in the authentication phase and therefore did not perform a password validity check. This update moves the check from the authentication phase to the account phase. As a result, SSSD can issue a password expiration warning even when no password is used during authentication. For more information, see the Deployment Guide:

SSSD supports login with User Principal Name

In addition to user names, the User Principal Name (UPN) attribute can now be used by SSSD for identifying users and user logins, which is a functionality available to Active Directory users. With this enhancement, it is possible to log in as an AD user with either the user name and the domain, or the UPN attribute.

SSSD supports background refresh for cached entries

SSSD allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.

The sudo command supports zlib compressed I/O logs

The sudo command is now built with zlib support which enables sudo to generate and process compressed I/O logs.

New package: openscap-scanner

A new package, openscap-scanner, is now provided to allow administrators to install and use the OpenSCAP scanner (oscap) without having to install all dependencies of the openscap-utils package, which previously contained the scanner tool. The separate packaging of the OpenSCAP scanner reduces potential security risks associated with installing unnecessary dependencies. The openscap-utils package is still available and contains other miscellaneous tools. Users who only need the oscap tool are advised to remove the openscap-utils package and install the openscap-scanner package.

New package: scap-workbench for easy SCAP evaluation

SCAP Workbench enables easy to use SCAP-content tailoring and single-machine evaluation. It greatly lowers the entry barrier with its integration of scap-security-guide content. Prior to this update, Red Hat Enterprise Linux 6 included the scap-security-guide and openscap packages, but not the scap-workbench package. Without SCAP Workbench, the command line is required to test SCAP evaluation, which is error prone and a major obstacle for some users. SCAP Workbench enables users to easily customize their SCAP content and test evaluation on single machines.

If supported by NSS, TLS 1.0 or newer is enabled by default

Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Directory Server now accepts more secure SSL protocols, such as TLSv1.1 and TLSv1.2, in the range manner offered by the NSS library. You can also define the SSL range that the console will use when communicating with Directory Server instances.

openldap includes the pwdChecker library

This update introduces the Check Password extension for OpenLDAP by including the OpenLDAP pwdChecker library. The extension is required for PCI compliance in Red Hat Enterprise Linux 6.

SSSD supports overriding automatically discovered AD site

The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the ad_site parameter in the [domain/NAME] section of the /etc/sssd/sssd.conf file. For more information about ad_site, see the Identity Management Guide:

certmonger supports SCEP

The certmonger service has been updated to support the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, you can now offer enrollment over SCEP.

Performance improvements for Directory Server delete operations

Previously, the recursive nested group look-ups performed during a group delete operation could take a long time to complete if there were very large static groups. The new memberOfSkipNested configuration attribute has been added to allow skipping the nested group check, thus improving performance of delete operations significantly.

SSSD supports user migration from WinSync to Cross-Realm Trust

A new ID Views mechanism of user configuration has been implemented in Red Hat Enterprise Linux 6.7. ID Views enables migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For details on ID Views and the migration procedure, see the Identity Management Guide:

SSSD supports localauth Kerberos plug-in

This update adds the localauth Kerberos plug-in for local authorization. The plug-in ensures that Kerberos principals are automatically mapped to local SSSD user names. With this plug-in, it is no longer necessary to use the auth_to_local parameter in the krb5.conf file. For more information about the plug-in, see the Identity Management Guide:

SSSD supports access to specified applications without system login rights

The domains= option has been added to the pam_sss module, which overrides the domains= option in the /etc/sssd/sssd.conf file. This update also adds the pam_trusted_users option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon. In addition to that, the pam_public_domains option and a list of domains accessible even for untrusted users have been added. These new options enable a system configuration that allows regular users to access specified applications without login rights on the system itself. For more information, see the Identity Management Guide:

SSSD supports consistent user environment across AD and IdM

The sssd service can read POSIX attributes defined on an Active Directory (AD) server that is in a trust relationship with Identity Management (IdM). With this update, the administrator can transfer a custom user shell attribute from the AD server to an IdM client. SSSD then displays the custom attribute on the IdM client. This update enables maintaining consistent environments across the whole enterprise. Note that the homedir attribute on the client currently displays the subdomain_homedir value from the AD server. For more information, see the Identity Management Guide:

SSSD supports displaying groups for AD trusted users before login

Active Directory (AD) users from domains of an AD forest in a trust relationship with Identity Management (IdM) are now able to resolve group memberships prior to logging in. As a result, the id utility now displays the groups for these users without requiring the users to log in.

getcert supports requesting certificates without certmonger

Requesting a certificate using the getcert utility during an Identity Management (IdM) client kickstart enrollment no longer requires the certmonger service to be running. Previously, an attempt to do this failed because certmonger was not running. With this update, getcert can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that certmonger starts to monitor the certificate obtained in this way only after reboot.

SSSD supports preserving case of user identifiers

SSSD now supports the true, false, and preserve values for the case_sensitive option. When the preserve value is enabled, the input matches regardless of the case, but the output is always the same case as on the server; SSSD preserves the case for the UID field as it is configured.

SSSD supports denying locked accounts SSH login access

Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The ldap_access_order parameter now accepts the ppolicy value which can deny SSH access to the user in the described situation. For more information about using ppolicy, see the ldap_access_order description in the sssd-ldap(5) man page.

SSSD supports using GPOs on AD

SSSD can now use Group Policy Objects (GPOs) stored on an Active Directory (AD) server for access control. This enhancement mimics the functionality of Windows clients, and a single set of access control rules can now be used to handle both Windows and Unix machines. In effect, Windows administrators can now use GPOs to control access to Linux clients. For more information, see the Identity Management Guide: