Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 5477 commits to master since this release

SSSD 1.13.0


  • Support for separate prompts when using two-factor authentication was added
  • Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
  • The fast memory cache now also supports the initgroups operation.
  • The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the cached_auth_timeout option in the sssd.conf manual page.
  • The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type.
  • Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
  • Credential caching and Offline authentication are also available when using two-factor authentication
  • Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
  • The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
  • The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task
  • The Python bindings are now built for both Python2 and Python3
  • The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option

Packaging Changes

  • A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service.
  • Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging
  • All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
  • The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu libssl-dev is now required to support certificate operations
  • A new internal library is present in this release.
  • The fast initgroups memcache is represented by a new file /var/lib/sss/mc/initgroups

Documentation Changes

  • The ad_gpo_access_control option default has changed from permissive to enforcing
  • The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task.
  • A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details
  • The cached authentication is controlled by new option cached_auth_timeout. By default the cached authentication is disabled.

See full release notes here.