Show Table of Contents
Chapter 1. Authentication
Directory Server supports configurable normalized DN cache
This update provides better performance for plug-ins such as
memberOfand for operations which update entries with many DN syntax attributes. The newly implemented configurable normalized DN cache makes DN handling by the server more efficient.
SSSD displays password expiration warnings when using non-password authentication
Previously, SSSD could only verify password validity during the authentication phase. When a non-password authentication method was used, such as during SSH login, SSSD was not called in the authentication phase and therefore did not perform a password validity check. This update moves the check from the authentication phase to the account phase. As a result, SSSD can issue a password expiration warning even when no password is used during authentication. For more information, see the Deployment Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/index.html
SSSD supports login with User Principal Name
In addition to user names, the User Principal Name (UPN) attribute can now be used by SSSD for identifying users and user logins, which is a functionality available to Active Directory users. With this enhancement, it is possible to log in as an AD user with either the user name and the domain, or the UPN attribute.
SSSD supports background refresh for cached entries
SSSD allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.
The sudo command supports zlib compressed I/O logs
sudocommand is now built with
zlibsupport which enables
sudoto generate and process compressed I/O logs.
New package: openscap-scanner
A new package, openscap-scanner, is now provided to allow administrators to install and use the OpenSCAP scanner (oscap) without having to install all dependencies of the openscap-utils package, which previously contained the scanner tool. The separate packaging of the OpenSCAP scanner reduces potential security risks associated with installing unnecessary dependencies. The openscap-utils package is still available and contains other miscellaneous tools. Users who only need the oscap tool are advised to remove the openscap-utils package and install the openscap-scanner package.
New package: scap-workbench for easy SCAP evaluation
SCAP Workbench enables easy to use SCAP-content tailoring and single-machine evaluation. It greatly lowers the entry barrier with its integration of scap-security-guide content. Prior to this update, Red Hat Enterprise Linux 6 included the scap-security-guide and openscap packages, but not the scap-workbench package. Without SCAP Workbench, the command line is required to test SCAP evaluation, which is error prone and a major obstacle for some users. SCAP Workbench enables users to easily customize their SCAP content and test evaluation on single machines.
If supported by NSS, TLS 1.0 or newer is enabled by default
Due to CVE-2014-3566, SSLv3 and older protocol versions are disabled by default. The Directory Server now accepts more secure SSL protocols, such as TLSv1.1 and TLSv1.2, in the range manner offered by the NSS library. You can also define the SSL range that the console will use when communicating with Directory Server instances.
openldap includes the pwdChecker library
This update introduces the
Check Passwordextension for OpenLDAP by including the OpenLDAP
pwdCheckerlibrary. The extension is required for PCI compliance in Red Hat Enterprise Linux 6.
SSSD supports overriding automatically discovered AD site
The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the
ad_siteparameter in the
[domain/NAME]section of the
/etc/sssd/sssd.conffile. For more information about
ad_site, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
certmonger supports SCEP
certmongerservice has been updated to support the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, you can now offer enrollment over SCEP.
Performance improvements for Directory Server delete operations
Previously, the recursive nested group look-ups performed during a group delete operation could take a long time to complete if there were very large static groups. The new
memberOfSkipNestedconfiguration attribute has been added to allow skipping the nested group check, thus improving performance of delete operations significantly.
SSSD supports user migration from WinSync to Cross-Realm Trust
ID Viewsmechanism of user configuration has been implemented in Red Hat Enterprise Linux 6.7. ID Views enables migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For details on ID Views and the migration procedure, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports localauth Kerberos plug-in
This update adds the
localauthKerberos plug-in for local authorization. The plug-in ensures that Kerberos principals are automatically mapped to local SSSD user names. With this plug-in, it is no longer necessary to use the
auth_to_localparameter in the
krb5.conffile. For more information about the plug-in, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports access to specified applications without system login rights
domains=option has been added to the
pam_sssmodule, which overrides the
domains=option in the
/etc/sssd/sssd.conffile. This update also adds the
pam_trusted_usersoption, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon. In addition to that, the
pam_public_domainsoption and a list of domains accessible even for untrusted users have been added. These new options enable a system configuration that allows regular users to access specified applications without login rights on the system itself. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports consistent user environment across AD and IdM
sssdservice can read POSIX attributes defined on an Active Directory (AD) server that is in a trust relationship with Identity Management (IdM). With this update, the administrator can transfer a custom user shell attribute from the AD server to an IdM client. SSSD then displays the custom attribute on the IdM client. This update enables maintaining consistent environments across the whole enterprise. Note that the
homedirattribute on the client currently displays the
subdomain_homedirvalue from the AD server. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
SSSD supports displaying groups for AD trusted users before login
Active Directory (AD) users from domains of an AD forest in a trust relationship with Identity Management (IdM) are now able to resolve group memberships prior to logging in. As a result, the
idutility now displays the groups for these users without requiring the users to log in.
getcert supports requesting certificates without certmonger
Requesting a certificate using the
getcertutility during an Identity Management (IdM) client kickstart enrollment no longer requires the
certmongerservice to be running. Previously, an attempt to do this failed because
certmongerwas not running. With this update,
getcertcan successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that
certmongerstarts to monitor the certificate obtained in this way only after reboot.
SSSD supports preserving case of user identifiers
SSSD now supports the
preservevalues for the
case_sensitiveoption. When the
preservevalue is enabled, the input matches regardless of the case, but the output is always the same case as on the server; SSSD preserves the case for the UID field as it is configured.
SSSD supports denying locked accounts SSH login access
Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The
ldap_access_orderparameter now accepts the
ppolicyvalue which can deny SSH access to the user in the described situation. For more information about using
ppolicy, see the
ldap_access_orderdescription in the sssd-ldap(5) man page.
SSSD supports using GPOs on AD
SSSD can now use Group Policy Objects (GPOs) stored on an Active Directory (AD) server for access control. This enhancement mimics the functionality of Windows clients, and a single set of access control rules can now be used to handle both Windows and Unix machines. In effect, Windows administrators can now use GPOs to control access to Linux clients. For more information, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html