Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 5291 commits to master since this release

SSSD 1.13.1


  • Initial support for Smart Card authentication was added. The feature can be activated with the new pam_cert_auth option
  • The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
  • A new command line tool sss_override is present in this release. The tools allows to override attributes on the SSSD side. It's helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides
  • New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
  • Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
  • This release supports authenticating againt a KDC proxy
  • The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
  • Several fixes to the GPO access control code are present

Packaging Changes

  • The Smart Card authentication feature requires a helper process p11_child that needs to be marked as setgid if SSSD needs to be able to. Please note the p11_child requires the NSS crypto library at the moment
  • The sss_override tool was added along with its own manpage
  • The upstream RPM can now build on RHEL/CentOS 6.7

Documentation Changes

  • The config_file_version configuration option now defaults to 2. As an effect, this option doesn't have to be set anymore unless the config file format is changed again by SSSD upstream
  • It is now possible to specify a comma-separated list of interfaces in the dyndns_iface option
  • The InfoPipe responder and the LDAP provider gained a new option wildcard_lookup that specifies an upper limit on the number of entries that can be returned with a wildcard lookup
  • A new option dyndns_server was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers.
  • The PAM responder gained a new option ca_db that allows the storage of trusted CA certificates to be specified
  • The time the p11_child is allowed to operate can be specified using a new option p11_child_timeout

See full release notes here.