Directory Server supports configurable normalized DN cache
This update provides better performance for plug-ins such as
memberOf and for operations which update entries with many DN syntax attributes. The newly implemented configurable normalized DN cache makes DN handling by the server more efficient.
SSSD displays password expiration warnings when using non-password authentication
Previously, SSSD could only verify password validity during the authentication phase. When a non-password authentication method was used, such as during SSH login, SSSD was not called in the authentication phase and therefore did not perform a password validity check. This update moves the check from the authentication phase to the account phase. As a result, SSSD can issue a password expiration warning even when no password is used during authentication. For more information, see the Deployment Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/index.html
SSSD supports login with User Principal Name
In addition to user names, the User Principal Name (UPN) attribute can now be used by SSSD for identifying users and user logins, which is a functionality available to Active Directory users. With this enhancement, it is possible to log in as an AD user with either the user name and the domain, or the UPN attribute.
SSSD supports background refresh for cached entries
SSSD allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.
The sudo command supports zlib compressed I/O logs
sudo command is now built with
zlib support which enables
sudo to generate and process compressed I/O logs.
New package: openscap-scanner
A new package, openscap-scanner, is now provided to allow administrators to install and use the OpenSCAP scanner (oscap) without having to install all dependencies of the openscap-utils package, which previously contained the scanner tool. The separate packaging of the OpenSCAP scanner reduces potential security risks associated with installing unnecessary dependencies. The openscap-utils package is still available and contains other miscellaneous tools. Users who only need the oscap tool are advised to remove the openscap-utils package and install the openscap-scanner package.
New package: scap-workbench for easy SCAP evaluation
SCAP Workbench enables easy to use SCAP-content tailoring and single-machine evaluation. It greatly lowers the entry barrier with its integration of scap-security-guide content. Prior to this update, Red Hat Enterprise Linux 6 included the scap-security-guide and openscap packages, but not the scap-workbench package. Without SCAP Workbench, the command line is required to test SCAP evaluation, which is error prone and a major obstacle for some users. SCAP Workbench enables users to easily customize their SCAP content and test evaluation on single machines.
If supported by NSS, TLS 1.0 or newer is enabled by default
Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Directory Server now accepts more secure SSL protocols, such as TLSv1.1 and TLSv1.2, in the range manner offered by the NSS library. You can also define the SSL range that the console will use when communicating with Directory Server instances.
openldap includes the pwdChecker library
This update introduces the
Check Password extension for OpenLDAP by including the OpenLDAP
pwdChecker library. The extension is required for PCI compliance in Red Hat Enterprise Linux 6.
SSSD supports overriding automatically discovered AD site
certmonger supports SCEP
certmonger service has been updated to support the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, you can now offer enrollment over SCEP.
Performance improvements for Directory Server delete operations
Previously, the recursive nested group look-ups performed during a group delete operation could take a long time to complete if there were very large static groups. The new
memberOfSkipNested configuration attribute has been added to allow skipping the nested group check, thus improving performance of delete operations significantly.
SSSD supports user migration from WinSync to Cross-Realm Trust
SSSD supports localauth Kerberos plug-in
SSSD supports access to specified applications without system login rights
option has been added to the
module, which overrides the
option in the
file. This update also adds the
option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon. In addition to that, the
option and a list of domains accessible even for untrusted users have been added. These new options enable a system configuration that allows regular users to access specified applications without login rights on the system itself. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports consistent user environment across AD and IdM
service can read POSIX attributes defined on an Active Directory (AD) server that is in a trust relationship with Identity Management (IdM). With this update, the administrator can transfer a custom user shell attribute from the AD server to an IdM client. SSSD then displays the custom attribute on the IdM client. This update enables maintaining consistent environments across the whole enterprise. Note that the
attribute on the client currently displays the
value from the AD server. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports displaying groups for AD trusted users before login
Active Directory (AD) users from domains of an AD forest in a trust relationship with Identity Management (IdM) are now able to resolve group memberships prior to logging in. As a result, the
id utility now displays the groups for these users without requiring the users to log in.
getcert supports requesting certificates without certmonger
Requesting a certificate using the
getcert utility during an Identity Management (IdM) client kickstart enrollment no longer requires the
certmonger service to be running. Previously, an attempt to do this failed because
certmonger was not running. With this update,
getcert can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that
certmonger starts to monitor the certificate obtained in this way only after reboot.
SSSD supports preserving case of user identifiers
SSSD now supports the
preserve values for the
case_sensitive option. When the
preserve value is enabled, the input matches regardless of the case, but the output is always the same case as on the server; SSSD preserves the case for the UID field as it is configured.
SSSD supports denying locked accounts SSH login access
Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The
ldap_access_order parameter now accepts the
ppolicy value which can deny SSH access to the user in the described situation. For more information about using
ppolicy, see the
ldap_access_order description in the sssd-ldap(5) man page.
SSSD supports using GPOs on AD