sssd-users June 2025

sssd-users@lists.fedorahosted.org

4 participants
2 discussions

SSSD & eDirectory Issue
by Shaun Glass 19 Jun '25

19 Jun '25

Good Day, I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below : *ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))* Now the precise part I am talking about is *securityEquals*. We were using *gidNumber* but since just about all Users will have the same Primary Group they will end up with the same *gidNumber*. The reason we want to avoid that is when a person does : *getent passwd* ... they will see hundreds of user accounts and we want to avoid that. The idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group : *ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))* I do not know if *securityEquals* is a valid attribute for SSSD ? Regards

3 3

[SSSD] Announcing SSSD 2.11.0
by Pavel Březina 05 Jun '25

05 Jun '25

# SSSD 2.11.0 The SSSD team is announcing the release of version 2.11.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.11.0 See the full release notes at: https://sssd.io/release-notes/sssd-2.11.0.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users # SSSD 2.11.0 Release Notes ## Highlights ### General information * The deprecated tool `sss_ssh_knownhostsproxy` was finally removed, together with the `./configure` option `--with-ssh-known-host-proxy` used to build it. It is now replaced by a stub which displays an error message. Instead of this tool, you must now use `sss_ssh_knownhosts`. Please check the sss_ssh_knownhosts(1) man page for detailed information. * Support for the previously deprecated `sssd.conf::user` option (`--with-conf-service-user-support` `./configure` option) was removed. * When both IPv4 and IPv6 address families are resolvable, but the primary is blocked on firewall, SSSD attempts to connect to the server on the secondary family. * During startup SSSD won't check NSCD configuration to issue a warning in a case of potential conflict. * Previously deprecated `--with-files-provider` configure option and thus support of `id_provider = files` were removed. * Previously deprecated `--with-libsifp` configure option and `sss_simpleifp' library were removed. * `krb5-child-test` was removed. Corresponding tests under `src/tests/system/` are aimed to provide a comprehensive test coverage of `krb5_child` functionality. * SSSD doesn't create any more missing path components of DIR:/FILE: ccache types while acquiring user's TGT. The parent directory of requested ccache directory must exist and the user trying to log in must have `rwx` access to this directory. This matches behavior of `kinit`. * The DoT for dynamic DNS updates is supported now. It requires new version of `nsupdate` from BIND 9.19+. * The option default_domain_suffix is deprecated. Consider using the more flexible domain_resolution_order instead. ### New features * New generic id and auth provider for Identity Providers (IdPs), as a start Keycloak and Entra ID are supported. Given suitable credentials this provider can read users and groups from IdPs and can authenticate IdP users with the help of the OAUTH 2.0 Device Authorization Grant (RFC 8628) * SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the `sssd-ipa` man page. ### Important fixes * `sssd_kcm` memory leak was fixed. * If the ssh responder is not running, `sss_ssh_knownhosts` will not fail (but it will not return the keys). ### Packaging changes * **Important note for downstream maintainers.** A set of capabilities required by privileged binaries was further reduced to: ``` krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p ldap_child cap_dac_read_search=p selinux_child cap_setgid,cap_setuid=p sssd_pam cap_dac_read_search=p ``` Keep in mind that even with a limited set of fine grained capabilities, usual precautions still should be taken while packaging binaries with file capabilities: it's very important to make sure that those are executable only by root/sssd service user. For this reason upstream spec file packages it as: ``` -rwxr-x---. 1 root sssd ``` Failing to do so (i.e. allowing non-privileged users to execute those binaries) can impose systems installing the package to a security risk. * New configure option `--with-id-provider-idp` to enable and disable building SSSD's IdP id provider, default is enabled. * `--with-nscd-conf` `./configure` option was removed. * Support of deprecated `ad_allow_remote_domain_local_groups` sssd.conf option isn't built by default. It can be enabled using `--with-allow-remote-domain-local-groups` `./configure` option. ### Configuration changes * The id_provider and auth_provider options support a new value `idp`. Details about how to configure the IdP provider can be found in the sssd-idp man page. * New optional fourth value for AD provider configuration option ad_machine_account_password_renewal_opts to select the command to update the keytab, currently `adcli` and `realm` are allowed values * The pam_sss.so module gained a new option named "allow_chauthtok_by_root". It allows changing realm password for an arbitrary user via PAM when invoked by root. * New `ldap_read_rootdse` option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated" and "never" * Until now dyndns_iface option supported only "*" for all interfaces or exact names. With this update it is possible to use shell wildcard patterns (e. g. eth*, eth[01], ...). * `ad_allow_remote_domain_local_groups` option is deprecated and will be removed in future releases. * the `dyndns_server` option is extended so it can be in form of URI (dns+tls://1.2.3.4:853#servername). New set of options `dyndns_dot_cacert`, `dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS communication. * Added `exop_force` value for configuration option `ldap_pwmodify_mode`. This can be used to force a password change even if no grace logins are left. Depending on the configuration of the LDAP server it might be expected that the password change will fail.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users June 2025