Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

himmelblau-sso-1.3.0+git.0.f8cabb7-1.1 RPM for x86_64

From OpenSuSE Tumbleweed for x86_64

Name: himmelblau-sso Distribution: openSUSE Tumbleweed
Version: 1.3.0+git.0.f8cabb7 Vendor: openSUSE
Release: 1.1 Build date: Tue Sep 30 19:35:31 2025
Group: Productivity/Networking/Security Build host: reproducible
Size: 3875574 Source RPM: himmelblau-1.3.0+git.0.f8cabb7-1.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/himmelblau-idm/himmelblau
Summary: Azure Entra Id Firefox SSO Configuration
Himmelblau is an interoperability suite for Microsoft Azure Entra Id,
which allows users to sign into a Linux machine using Azure
Entra Id credentials.

Provides

Requires

License

GPL-3.0-or-later

Changelog

* Tue Sep 30 2025 david.mulder@suse.com
  - Update to version 1.3.0+git.0.f8cabb7:
    * Resolve errant "Hello key missing." messages
    * Version 1.3.0
    * Fix group static mapping
    * Move aad-tool idmap cache clear to the idmap cmd
    * deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
    * deps(rust): bump the all-cargo-updates group with 6 updates
    * Fix RHEL8 package signing
    * Fix Hello PIN lookup when an alias domain
    * Raise maximum group lookup from 100 to 999
    * Always work with lowercase account names
    * Revert the self-hosted runner name
    * deps(rust): bump the all-cargo-updates group with 23 updates
* Tue Sep 02 2025 david.mulder@suse.com
  - Update to version 1.2.2+git.0.2d04bca:
    * Include latest branch in CI
    * Self hosted runners
    * Version 1.2.2
    * deps(rust): bump tracing-subscriber in the cargo group; (bsc#1249013), (CVE-2025-58160)
    * Version 1.2.1
    * Automatically append to nsswitch.conf in postinst
    * Correct the RPM postinst script syntax
* Thu Aug 07 2025 david.mulder@suse.com
  - Update to version 1.2.0+git.0.6befefc:
    * Version 1.2.0
    * Fix Kerberos credential cache permissions; (bsc#1247735), (CVE-2025-54882)
    * Set file owner and group before writing its content
    * Ensure alias domains match when checking Intune device id
    * Debian 12 doesn't support ConditionPathExists and notify-reload
    * Write scripts policy to a readable directory
    * Apply Intune policies right after enrollment
    * Add more debug instrumentation
    * Provide device_id to Intune enrollment if not cached
    * Ensure nss cache directory is created during install
    * Remove /var/cache/himmelblaud access from tasks daemon
    * Resolve daemon startup absolute path warnings
    * Version 1.1.0
    * Delay Intune enrollment on Device Auth fail
    * Do not leak the Intune IW service token in the logs
* Wed Jul 30 2025 david.mulder@suse.com
  - Update to version 1.0.0+git.0.d01709b:
    * Fix policy application
    * Add remaining Linux password compliance policies
    * Add custom compliance enforcement
    * deps(rust): bump the all-cargo-updates group with 3 updates
    * deps(rust): bump the all-cargo-updates group with 5 updates
    * Add SLE15SP7 build target
    * Add RHEL 10 build target
    * Fix Intermittent auth issue AADSTSError 16000
    * Remove old utf8proc dependency
    * Add `fedora42` build target
    * Handle PRT expiration and tie to offline auth
    * Correctly delete the Hello keys on bad pin count
    * Add ability to disable Hello PIN per-service
    * Update NixOS support to 25.05
    * Handle disabled device by attempting re-enrollment
    * Always attempt confidential client creds for aad-tool
    * Include HSM option defs in himmelblau.conf man page
    * Update flake.nix
    * Improve the aad-tool cache-clear command
    * Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
    * Add the ability to remove confidential client creds
    * If bad PIN count is exceeded, delete the Hello key
    * deps(rust): bump the all-cargo-updates group with 4 updates
    * Add instructions for creating developer builds
    * Fix GDM3 first time login password prompt
    * Default HsmType should be soft
    * Add himmelblaud to tss group for TPM startup
    * Enforce strict order for the systemd units
    * Update libhimmelblau and compact_jwt
    * Fix builds w/tpm
    * aad-tool Authentication flow improvements
    * Filter out irrelevant debug in aad-tool
    * Create a unified login experience for aad-tool
    * Utilize confidential creds for aad-tool enumerate
    * himmelblau should get posix attributes w/out delegate user access
    * Always use the Object Id for mapping Group to GID
    * Update enhancement-request.md for SPI donations
    * Update bug_report.md with SPI donation
    * deps(rust): bump the all-cargo-updates group with 4 updates
    * Update build requires in README.md
    * Enforce strict order for the systemd units
    * Update FUNDING.yml with SPI Paypal donation button
    * Don't break from tasks loop when policies fail
    * Enroll in Intune as soon as it is enabled
    * Implement `decoupled hello` behavior
    * Cache encrypted PRT to disk for offline login SSO
    * Update to latest hsm-crypto
    * Enable tpm functionality
    * Allow altering the password and PIN prompt messages
    * Ensure Hello PIN lockout happens when online
    * Cache the build target output to improve build times
    * Easier build selection w/ Makefile
    * Revert mistaken removal from Makefile
    * Make the user wait longer with each incorrect PIN
    * Make the bad PIN count configurable
    * Improve aad-tool manpage
    * aad-tool fails if the user has FIDO2 enabled
    * Offline auth permits authentication with invalid Hello PIN
    * PIN complexity to match Windows
    * Update to latest SSSD idmap code
    * Add aad-tool options for setting posix attrs
    * Add scopes and redirect uris aad-tool application create
    * Add aad-tool commands for managaging extension attrs
    * deps(rust): bump the all-cargo-updates group with 4 updates
    * cargo clippy
    * cargo fmt
    * Utilize the sidtoname call for object id mapping
    * Add commands for listing/creating App registrations
    * Potential fix for code scanning alert no. 2: Workflow does not contain permissions
    * Potential fix for code scanning alert no. 4: Workflow does not contain permissions
    * Potential fix for code scanning alert: Workflow does not contain permissions
    * Never write the app_id to the server config
    * Disable passwordless Fido by default
    * Stop using deprecated `users` crate
    * When group membership lookup fails, use cached groups
    * deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
    * deps(rust): bump the all-cargo-updates group with 4 updates
    * aad-tool command for enumerating users and groups
    * Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
    * Add the configure-pam option to aad-tool man page
    * Add static idmap cache for on-prem to cloud migration
    * Update bug_report.md with request for himmelblau.conf
    * deps(rust): bump the all-cargo-updates group with 2 updates
    * Update crates in a group
    * Update crate bumps
    * Utilize new Intune compliance enforcement via libhimmelblau
    * Correct the README regarding Intune policy compliance
    * Disable Chromium policy
    * Re-enable Intune policy and add scripts and compliance policies
    * himmelblau.conf alias `domain` as `domains`
    * Support Fido auth in pam passwd
    * Add TAP support to himmelblaud and pam passwd
    * Mixed case names should properly identify Hello Key
    * Update linux-entra-sso to latest version
    * Fix group lookup for Entra Id group name
    * Fix mixed case name lookup from PRT cache
    * Crate updates
    * Fix tasks daemon debug output
    * Remove write locks where unecessary
    * Fix deadlock in nss
    * systemd notify fixes
    * Console
    * Address Feedback
    * Order services before gdb/nss-user-target
    * deps(rust): bump rpassword from 7.3.1 to 7.4.0
    * deps(rust): bump tokio from 1.44.2 to 1.45.0
    * deps(rust): bump sha2 from 0.10.8 to 0.10.9
    * deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
    * deps(rust): bump clap from 4.5.31 to 4.5.38
    * Update notify-debouncer-full
    * Update opentelemetry
    * Update dependencies
    * deps(rust): bump time from 0.3.39 to 0.3.41
    * Replace source filter that blacklists files with filter that whitelists files.
    * Mark himmelblau.conf as config in rpm
    * Update README.md
    * Ensure only the base URL is printed to log
    * If unix_user_get fails, wait, and try again
    * Supplying a PRT cookie to SSO doesn't require network
    * Don't send a password prompt if the network is down
    * Auth via MFA if Hello PIN fails 3 times
    * Improve Hello PIN failed auth error
    * Fix rocky9 build
    * deps(rust): bump anyhow from 1.0.96 to 1.0.98
    * deps(rust): bump libc from 0.2.170 to 0.2.172
    * deps(rust): bump cc from 1.2.16 to 1.2.19
    * Update README.md
    * deps(rust): bump tokio from 1.43.0 to 1.44.2
    * deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
    * deps(rust): bump reqwest from 0.12.12 to 0.12.15
    * Update libhimmelblau in Cargo.lock
    * Fix nss and offline checks for domain aliases
    * Report error when MS Authenticator denies authorization
    * Bail out of invalid offline auth
    * Handle AADSTS errors from BeginAuth response
    * Never dump failed reqwests to the log
    * Update sccache-action version to use new cache service
    * Permit daemon to start when network is down
    * Add an nss cache for when daemon is down
    * Additional pam info cues
    * Proceed with Hello auth even with net down
    * Indicate to the user what the password and PIN are
    * Ensure pam messages are seen
    * Display the minimum PIN length during Hello setup
    * PAM should loop, not die on error
    * Ensure prompt msg remains for confirmation
    * Update bug_report.md
    * Ignore demands for setting up MS Authenticator
    * Login fails if Entra is configured to recommend MS authenticator
    * Add pam configure command to aad-tool
    * Update README.md with pam passwd instructions
    * aad-tool authtest needs to map names
    * Update demo video in README.md
    * Sign RPM packages
    * Ensure the pam module is installed correctly for SLE
    * Improve pam error handling and messaging
    * Only push cachix builds for stable releases
    * Terminate linux-entra-sso when browser terminates
    * On deb, push pam config after install
    * Increase priority of deb PAM passwd for Himmelblau
    * Improve offline state handling
    * Specify request for Entra Id password in PAM
    * QR Greeter also supports gnome-shell 47
    * Fix profile photo loading
    * Clarify pam_allow_groups in himmelblau.conf man page
    * Don't hide debug for pam_allow_groups miss
    * Handle failures in passwordless auth
    * build all root packages
    * split config options that can be defined per-domain from those which are global only
    * configure cachix signing and upload in ci
    * deps(rust): bump serde_json from 1.0.138 to 1.0.140
    * deps(rust): bump serde from 1.0.218 to 1.0.219
    * deps(rust): bump time from 0.3.37 to 0.3.39
    * deps(rust): bump bytes from 1.10.0 to 1.10.1
    * deps(rust): bump pkg-config from 0.3.31 to 0.3.32
    * Entra Id is case insensitive, cache lookup must match
    * deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
    * Support CompanionAppsNotification mfa method
    * QR code for gnome-shell greeter
    * Allow tasks to start if AccountsService dir missing
    * Remove invalid python dependency from sso package
    * Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
    * Clear server config when clearing cache
    * Update version in the Cargo.lock
    * deps(rust): bump async-trait from 0.1.86 to 0.1.87
    * deps(rust): bump chrono from 0.4.39 to 0.4.40
    * Fix himmelblau.conf man page cn_name_mapping entry
    * deps(rust): bump pem from 3.0.4 to 3.0.5
    * deps(rust): bump serde from 1.0.217 to 1.0.218
    * Version 1.0.0
    * deps(rust): bump cc from 1.2.15 to 1.2.16
    * Update workflow versions
* Mon Jul 28 2025 david.mulder@suse.com
  - Update to version 0.9.21+git.0.6963ee0:
    * Fix authentication when passkeys are enabled
    * Version 0.9.20
    * Fix Intermittent auth issue AADSTSError 16000
    * Version 0.9.19
    * Disable cookies
    * Version 0.9.18
    * Cache the build target output to improve build times
    * Easier build selection w/ Makefile
    * Never write the app_id to the server config
* Thu Jun 26 2025 david.mulder@suse.com
  - Update to version 0.9.17+git.0.4a97692:
    * Version 0.9.17
    * Offline auth permits authentication with invalid Hello PIN; (CVE-2025-53013).
    * Cargo fmt
    * Don't neglect to sign the rpm packages
* Tue Jun 17 2025 david.mulder@suse.com
  - Update to version 0.9.16+git.0.aac2205:
    * Disable passwordless Fido by default
    * Stop using deprecated `users` crate
    * Version 0.9.16
    * When group membership lookup fails, use cached groups
    * Just report whether some passwordless type is available
    * Version 0.9.15
    * Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
    * Version 0.9.14
    * Support Fido auth in pam passwd
    * Add TAP support to himmelblaud and pam passwd
    * Mixed case names should properly identify Hello Key
    * Remove write locks where unecessary
    * Fix group lookup for Entra Id group name
    * Version 0.9.13
    * Fix mixed case name lookup from PRT cache
* Tue May 20 2025 david.mulder@suse.com
  - Update to version 0.9.12+git.0.99b5ca6:
    * Version 0.9.12
    * Fix deadlock in nss
    * systemd notify fixes
* Tue Apr 29 2025 david.mulder@suse.com
  - Update to version 0.9.11+git.0.04ef9c8:
    * Ensure only the base URL is printed to log
    * Version 0.9.11
    * Supplying a PRT cookie to SSO doesn't require network
    * Improve Hello PIN failed auth error
    * Fix rocky9 build
    * Fix nss and offline checks for domain aliases
    * Report error when MS Authenticator denies authorization
    * Bail out of invalid offline auth
    * Handle AADSTS errors from BeginAuth response
    * Never dump failed reqwests to the log
    * Update sccache-action version to use new cache service
    * Permit daemon to start when network is down
    * Version 0.9.10
    * Add an nss cache for when daemon is down
    * Additional pam info cues
    * Proceed with Hello auth even with net down
    * Indicate to the user what the password and PIN are
    * Specify request for Entra Id password in PAM
    * Ensure pam messages are seen
    * Display the minimum PIN length during Hello setup
    * PAM should loop, not die on error
    * Ensure prompt msg remains for confirmation
* Tue Apr 15 2025 david.mulder@suse.com
  - Update to version 0.9.9+git.0.5425b98:
    * Version 0.9.9
    * Ignore demands for setting up MS Authenticator
* Thu Mar 20 2025 david.mulder@suse.com
  - Update to version 0.9.8+git.0.3f20b1b:
    * configure cachix signing and upload in ci
    * Version 0.9.8
    * Improve pam error handling and messaging
    * Version 0.9.7
    * Terminate linux-entra-sso when browser terminates
    * On deb, push pam config after install
    * Increase priority of deb PAM passwd for Himmelblau
    * Improve offline state handling
    * QR Greeter also supports gnome-shell 47
    * Version 0.9.6
    * Fix profile photo loading
    * Clarify pam_allow_groups in himmelblau.conf man page
    * Don't hide debug for pam_allow_groups miss
    * Version 0.9.5
    * Handle failures in passwordless auth
* Tue Mar 11 2025 david.mulder@suse.com
  - Update to version 0.9.4+git.0.9909238:
    * Version 0.9.4
    * bump ring from 0.17.9 to 0.17.13
    * Entra Id is case insensitive, cache lookup must match
    * Support CompanionAppsNotification mfa method
    * Version 0.9.2
    * QR code for gnome-shell greeter
    * Allow tasks to start if AccountsService dir missing
    * Remove invalid python dependency from sso package
    * Version 0.9.1
    * himmelblaud-tasks stops due to missing dir
    * Clear server config when clearing cache
    * Fix himmelblau.conf man page cn_name_mapping entry
    * Update workflow versions
    * Document the requirements for app_id
    * Properly handle aad error from auth code req
    * Provide a group gid fallback for rfc2307 id map
    * Remove option defs from the default debian himmelblau.conf
    * Ensure tasks daemon creates files w/ correct gid
    * Isolate the name mapping so it only happens if enabled
    * Default to request group info via Edge browser
    * Avoid modifying the cache entries
    * Utilize systemd notify to avoid tasks started fail
    * Ubuntu PAM module configuration to change PIN
    * Resolve migration error `real_gidnumber` missing
    * deps(rust): bump libc from 0.2.169 to 0.2.170
    * deps(rust): bump clap_complete from 4.5.45 to 4.5.46
    * Fix some clippy warnings
    * Cause tasks daemon to honor configured debug
    * Fetch user profile photo via tasks daemon
    * deps(rust): bump clap from 4.5.30 to 4.5.31
    * deps(rust): bump anyhow from 1.0.95 to 1.0.96
    * deps(rust): bump cc from 1.2.14 to 1.2.15
    * Add apparmor whitelisting for nss mapping cache
    * Dramatically improve debug logging
    * Move the NixOS CI to a different workflow (w/out main)
    * Add a sample himmelblau.conf in docs
    * Resolve missed auth code redirect
    * Implement mapped name caching in NSS
    * Add script on-behalf-of flow for logon scripts
    * Update Cargo.lock deps
    * Update installation instructions in the README
    * Donation requests in the issue templates
    * Update README.md with contribute badge
    * Update README.md with contributions statement
    * Create FUNDING.yml
    * Update README.md
    * fix failing test expecting /bin/echo to be available
    * add nixos ci tests
    * Use sd_notify to signal service readiness, prevent startup failures
    * Add build command to Makefile
    * Update documentation
    * Add NixOS Module
    * enable build with nix
    * Implement logon name script mapping
    * deps(rust): update libnss requirement from 0.8.0 to 0.9.0
    * Only the himmelblau-sso package should conflict with intune-portal
    * deps(rust): update gethostname requirement from 0.5.0 to 1.0.0
    * deps(rust): update lru requirement from ^0.12.3 to ^0.13.0
    * deps(rust): update rand requirement from ^0.8.5 to ^0.9.0
    * Fetch the group extension attrs with the group object
    * Ensure access token has the GroupMember.Read.All scope
    * Replace the unix attribute option with a rfc2307 idmap
    * Map the extended attr gidNumber to primary group
    * Permit configuration of an Application for group fetching
    * Use posix attributes synchronized from on-prem AD
    * Fix debug option in himmelblau.conf
    * Add a span around server initialisation for correct log coalescing
    * Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d
    * Fix libutf8proc dependency issue on Ubuntu 22.04
    * Fix Credentials leaking in the debug log
    * deps(rust): update rusqlite requirement from ^0.32.0 to ^0.33.0 (#345)
    * Decrease CI build time
    * Fix CI failure caused by package revision
    * Support password changes when demanded
    * Update README.md
    * Entra Id no longer permits SFA enrollment
    * Rewrite the sso code in Rust
    * Add profile photo fetching
    * Version 0.9.0
* Mon Jan 27 2025 david.mulder@suse.com
  - Update to version 0.8.3+git.5.1510f5a:
    * Decrease CI build time
    * Fix CI failure caused by package revision
    * Version 0.8.4
    * Fix libutf8proc dependency issue on Ubuntu 22.04
    * Version 0.8.3
    * Fix Credentials leaking in the debug log
* Fri Jan 17 2025 david.mulder@suse.com
  - Update to version 0.8.2+git.0.553c632:
    * Version 0.8.2
    * Entra Id no longer permits SFA enrollment
    * Remove SSO python dependencies
    * Version 0.8.1
    * Rewrite the sso code in Rust
* Thu Dec 19 2024 david.mulder@suse.com
  - Update to version 0.8.0+git.0.249ba5f:
    * Branch version stable-0.8.x
    * Passwordless auth doesn't provide polling numbers
    * Resolve deadlock introduced by Fido auth
    * Implement NGC Passwordless authentication
    * Remove unused commit checklist
    * deps(rust): update bindgen requirement from 0.70.1 to 0.71.1
    * Update libhimmelblau version
    * Custom domains matching
    * Fix IdmapError to indicate the failure
    * Fix Fedora build dependencies
    * Add Fido MFA
    * Add Debian 12 packaging
    * Disable SELinux labeling on build container volume mounts
    * Update github CI dependencies
    * Implement Hello Pin changes via PAM
    * Formatting fix
    * Utilize HimmelblauConfig directly in pam and nss
    * Add config parsing unit tests
    * Fix incorrect default domain
    * Fix config hsm type Tpm error
    * Include multi-domain important info in himmelblau.conf man
    * Update to the latest libhimmelblau
    * Add DAG flow as a fallback for MFA
    * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
    * Update README.md with build requires
    * Enable module for utf8proc-devel in Rocky8
    * Remove the org.samba.himmelblau dbus service
    * Fix missing dependency utf8proc_NFKC_Casefold
    * The tasks daemon needs /etc/groups write access
    * Revert "Fix Ubuntu PAM fallback to password prompt"
    * Fix Ubuntu PAM fallback to password prompt
    * Increase the cache timeout to 5 minutes
    * Always fetch and cache the graph url
    * Package Siemens Linux Entra SSO for Himmelblau
    * Add Kerberos CCache support
    * Update the tasks daemon man page
    * Add a himmelblau.conf man page, and package the man pages
    * Add SLE15SP6 packaging
    * Add Fedora 41 packaging
    * Add Fedora Rawhide packaging
    * Provide enhancement request template
    * Create an issue template
    * Hello support depends on openssl3
    * Fix sshd rpm depends
    * Resolve RPM dependencies automatically
    * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
    * Add openSUSE Tumbleweed packaging
    * Fix RPM packaging placement of systemd files
    * Remove the failed attempt at debian packaging
    * Add stable-0.7.x to CI workflows
    * Version 0.8.0
* Thu Dec 12 2024 david.mulder@suse.com
  - Update to version 0.7.13+git.0.d790d31:
    * Version 0.7.13
    * Fix Fedora build dependencies
    * Version 0.7.12
    * Add Debian 12 packaging
    * Update github CI dependencies
    * Version 0.7.11
    * Implement Hello Pin changes via PAM
    * Utilize HimmelblauConfig directly in pam and nss
    * Version 0.7.10
    * Add config parsing unit tests
    * Fix incorrect default domain
    * Fix config hsm type Tpm error
    * Include multi-domain important info in himmelblau.conf man
* Thu Dec 05 2024 david.mulder@suse.com
  - Update to version 0.7.9+git.0.93655d2:
    * Version 0.7.9
    * Update to the latest libhimmelblau
    * Version 0.7.8
    * Add a himmelblau.conf man page, and package the man pages
    * Add DAG flow as a fallback for MFA
* Mon Dec 02 2024 david.mulder@suse.com
  - Update to version 0.7.7+git.0.b48d0bb:
    * Version 0.7.7
    * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
      (bsc#1233949).
    * Version 0.7.6
    * Enable module for utf8proc-devel in Rocky8
* Mon Nov 25 2024 david.mulder@suse.com
  - Update to version 0.7.5+git.0.8f421b0:
    * Version 0.7.5
    * Remove the org.samba.himmelblau dbus service
* Mon Nov 25 2024 david.mulder@suse.com
  - Update to version 0.7.4+git.0.d1291c6:
    * Version 0.7.4
    * Fix missing dependency utf8proc_NFKC_Casefold
    * Package Siemens Linux Entra SSO for Himmelblau
    * Add SLE15SP6 packaging
    * Add Fedora 41 packaging
    * Add Fedora Rawhide packaging
    * The tasks daemon needs /etc/groups write access
    * Version 0.7.3
    * Increase the cache timeout to 5 minutes
    * Always fetch and cache the graph url
* Mon Nov 25 2024 david.mulder@suse.com
  - Update to version 0.7.2+git.0.c76ac0e:
    * Version 0.7.2
    * Hello support depends on openssl3
    * Version 0.7.1
    * Fix sshd rpm depends
    * Resolve RPM dependencies automatically
    * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
    * Add openSUSE Tumbleweed packaging
    * Fix RPM packaging placement of systemd files
    * Remove the failed attempt at debian packaging
    * Add stable-0.7.x to CI workflows
    * deps(rust): update utoipa requirement from 4.0.0 to 4.2.0
    * deps(rust): update hashbrown requirement from 0.14.0 to 0.15.1
    * Remove missing feature causing warnings
    * deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4
    * Specify scopes when making an SSO request
    * Implement logon script for ensuring compliance
    * Option for adding Entra Id users to local groups
    * Configure EL sshd with ChallengeResponseAuthentication yes
    * Add rocky 8 packaging
    * Add RPM packaging for EL9
    * Modify Ubuntu defaults to fix snaps
    * Resolve Libreoffice fails to start on Ubuntu
    * Minor formatting fix
    * Revert RwLock -> Arc<Mutex> change in idmap
    * Ignore broker scopes requests for now
    * Ensure every file specifies the proper license
    * postinst should not fail on patch or apparmor update
    * Install pam module to additional location via make
    * Add sshd config to the Makefile
    * Don't use sudo in postinst/postrm scripts for deb
    * PAM should be placed first in the stack
    * Add the libutf8proc-dev dep for deb
    * Match the object ID of the fake user and group
    * Make it possible to stop the broker service
    * Move sshd config into it's own debian package
    * Allow the graph to start w/out network
    * Add hello_pin_min_length conf option
    * Don't attempt SFA fallback if AADSTSError
    * Have libhimmelblau handle the DAG fallback
    * Add a warning to user that SSH needs restarted
    * Ensure local users are ignored when CN mapping
    * Ensure DAG is rejected if lifetime expires
    * Rework the poll logic to resolve timeout issues
    * Add a sshd soft depends for the deb package
    * CN name mapping in PAM and NSS
    * Make CN an optional home directory attribute
    * Remove the sssd build dependencies
    * Configuration patches for himmelblau on Debian
    * Simplify PAM get_item_string calls
    * Bug in pam which needs defended against
    * Fix deb build by adding Broker service file
    * Install Ubuntu unix-chkpwd apparmor deps
    * Ensure make install places pam_himmelblau correctly
    * Add Ubuntu pam-config for pam_himmelblau
    * Never return Err(PAM_SUCCESS) from get_user
    * Never return the Pam result from get_user()
    * Revert "Speed up nss requests w/out auth attempt"
    * Speed up nss requests w/out auth attempt
    * Fix some broker responses
    * Fixes for the dbus broker
    * Attempt to fix the cargo version in launchpad build
    * Makefile typo fixes
    * Version 0.7.0
    * Add libdbus-1-dev dep
    * Improve the README installation instructions
    * Add `make install` command
    * Improve Debian/Ubuntu install instructions
    * Fix tag push permissions for tag-version workflow
    * Add a version check script
    * Remove the rustc dependency, breaking rustup
    * Add a debug option to the config
    * DBus requires that the service file match the name
    * Add a pam option for the OpenSSH 2876 workaround
    * Update to the latest libhimmelblau
* Tue Oct 22 2024 david.mulder@suse.com
  - Update to version 0.6.14+git.0.bbda0b6:
    * Version 0.6.14
    * postinst should not fail on patch or apparmor update
    * Version 0.6.13
    * Don't use sudo in postinst/postrm scripts for deb
    * Version 0.6.12
    * PAM should be placed first in the stack
    * Match the object ID of the fake user and group
    * Version 0.6.11
    * Move sshd config into it's own debian package
    * Version 0.6.10
    * Allow the graph to start w/out network
    * Add hello_pin_min_length conf option
    * Version 0.6.9
    * Don't attempt SFA fallback if AADSTSError
    * Have libhimmelblau handle the DAG fallback
    * Add a warning to user that SSH needs restarted
    * Version 0.6.8
    * Ensure local users are ignored when CN mapping
    * Ensure DAG is rejected if lifetime expires
    * Version 0.6.7
    * Rework the poll logic to resolve timeout issues
    * Version 0.6.6
    * Add a sshd soft depends for the deb package
    * CN name mapping in PAM and NSS
    * Version 0.6.5
    * Make CN an optional home directory attribute
    * Version 0.6.4
    * Add Ubuntu pam-config for pam_himmelblau
    * Configuration patches for himmelblau on Debian
    * Version 0.6.3
    * Bug in pam which needs defended against
    * Version 0.6.2
    * Never return the Pam result from get_user()
    * Correct installation directory of the deb pam module
    * Makefile typo fixes
    * Add libdbus-1-dev dep
    * Version 0.6.1
    * Debian build requires libdbus-1-dev
* Wed Oct 02 2024 david.mulder@suse.com
  - Update to version 0.6.0+git.0.b8dae18:
    * Attempt to fix the cargo version in launchpad build
    * Add branch stable-0.6.x to the workflows
    * Install the pam module to the proper location
    * Update README.md
    * Add a debug option to the config
    * Add a pam option for the OpenSSH 2876 workaround
    * Update to the latest libhimmelblau
    * Authorize all users when pam_allow_groups is empty
    * Fix clippy warnings
    * Fix pam echo not displayed via ssh
    * Fix pam failure to register Pin following mfa poll
    * Fork from kanidm
    * Version 0.6.0
    * Add cargo deb build
    * Version 0.5.3
    * Improve the README installation instructions
    * Add `make install` command
    * Improve Debian/Ubuntu install instructions
    * Fix tag push permissions for tag-version workflow
    * Version 0.5.2
    * Add a version check script
    * Version 0.5.1
    * Remove the rustc dependency, breaking rustup
    * Added Debian packaging workflow and files
* Thu Sep 12 2024 William Brown <william.brown@suse.com>
  - explicitly depend on cargo to pull in latest compiler revision
* Wed Sep 04 2024 david.mulder@suse.com
  - Update to version 0.5.0+git.0.22f84f0:
    * Update workflows for 0.5.x
    * Update Debian dependencies in README.md
    * Compilation fails on Ubuntu, missing ldb header
    * Fix base32 with kandim updates
    * deps(rust): update base32 requirement from ^0.4.0 to ^0.5.0
    * deps(rust): update scim_proto requirement from ^0.2.1 to ^1.3.2
    * deps(rust): update bindgen requirement from 0.69.4 to 0.70.1
    * Fix CI failures caused by cargo 1.80.1
    * Update to libhimmelblau version 0.2.9
    * deps(rust): update rusqlite requirement from ^0.31.0 to ^0.32.0
    * deps(rust): update tonic requirement from 0.11.0 to 0.12.0
    * update libnss requirement from 0.7.0 to 0.8.0
    * Switch to using libhimmelblau
    * himmelblaud stops working after suspend
    * Update required packages for tumbleweed
    * Disable the SFA fallback by default
    * Fix ConsolidatedTelephony MFA method
    * Use the group ID for the name if no display name
    * Use latest msal with MFA fixes
    * PhoneAppNotification is not a cred request algorithm
    * The polling_interval is in milliseconds, not seconds
    * OneWaySMS is additionally a valid OTP
    * Relicensing as GPL3, as SSSD source inclusion requires
    * Utilize the graph code in msal
    * config: Remove comments about experimental policy enforement
    * Remove the experimental policy code from the id provider
    * Fix a refresh token leak in debug from msal
    * Correct README details
    * Always normalize idmap upn inputs
    * Add video links to the README
    * Minor updates to the Contributing section
    * Add a Installation section to the README
    * Add the new SSSD idmap build deps to the README
    * Add a section about donations
    * Include the Samba Technical matrix channel
    * Add github workflows for the 0.4.x branch
    * Version 0.5.0 bump for main
* Mon Jul 15 2024 david.mulder@suse.com
  - Update to version 0.4.3+git.2.6379abc:
    * Specifically use msal 0.2.6
    * Version 0.4.3
    * update libnss requirement from 0.7.0 to 0.8.0
    * himmelblaud stops working after suspend
    * Version 0.4.2
    * Fix ConsolidatedTelephony MFA method
* Wed May 29 2024 david.mulder@suse.com
  - Update to version 0.4.1+git.0.41dd0dc:
    * Version 0.4.1
    * Use latest msal with MFA fixes
    * PhoneAppNotification is not a cred request algorithm
    * The polling_interval is in milliseconds, not seconds
    * OneWaySMS is additionally a valid OTP
    * Relicensing as GPL3, as SSSD source inclusion requires
* Wed May 22 2024 david.mulder@suse.com
  - Update to version 0.4.0+git.4.63e3704:
    * Fix a refresh token leak in debug from msal
* Wed May 22 2024 david.mulder@suse.com
  - Update to version 0.4.0+git.2.7b57f5e:
    * Always normalize idmap upn inputs
* Mon May 20 2024 david.mulder@suse.com
  - Update to version 0.4.0+git.0.69b64fe:
    * Add github workflows for the 0.4.x branch
    * Do not append to pam_allow_groups automatically
    * Pam Allow Groups must be specified by Object ID
    * Request the correct resource and permissions
    * Improve error output on group lookup failure
    * When faking a uuid for NSS, use a random uuid
    * Fix clippy warning about inefficient use of clone()
    * Remove the initial uid hack, use name mapping
    * Don't stop an MR based on a clippy warning
    * Update Kanidm tracking
    * Modify CI workflows to handle idmap build
    * Add CI job for cargo test
    * Test the new and legacy idmapping
    * Ensure duplicate providers are not started
    * Use the SSSD Idmap code in Himmelblau
    * Specify in conf that pam_allow_groups is required
    * Remove code duplication in Hello PIN auth
    * Fix Device authentication failed after enrollment
    * Update the base64urlsafedata version
    * Update README.md with Matrix contact info
    * Version 0.4.0
* Wed May 15 2024 david.mulder@suse.com
  - Update to version 0.3.4+git.0.01d099f:
    * Version 0.3.4
    * Only remove cached user if it doesn't exist
    * Use existing user token at refresh
    * Always use the spn of the user for nss requests
    * Generate a fake user token to please SSH
    * Fix aad-tool to handle MFA
    * Fix lib_crypto version
    * Fix user dropping from NSS
* Fri May 10 2024 david.mulder@suse.com
  - Himmelblau requires libopenssl-3 for PRT messages.
* Thu May 09 2024 david.mulder@suse.com
  - Update to version 0.3.3+git.0.c2197d7:
    * Correct the debug messages for Hello skip
    * Version 0.3.3
    * Allow disabling Hello PIN auth for enrolled users
    * Add an option for disabling Windows Hello
    * Remove the TODO doc from stable branch
    * config: Remove comments about experimental policy enforement
* Tue May 07 2024 david.mulder@suse.com
  - Update to version 0.3.2+git.0.de9f5b5:
    * Version 0.3.2
    * Fix Hello PIN Authentication error, no nonce
* Mon Apr 29 2024 david.mulder@suse.com
  - Update to version 0.3.1+git.0.359a8d0:
    * Add github workflows for the 0.3.x branch
    * Fallback to SFA first if MFA fails Browse files
    * deps(rust): update libnss requirement from 0.6.0 to 0.7.0
    * deps(rust): update webauthn-rs-proto requirement from 0.4.8 to 0.5.0
    * Fix deadlock caused by client write lock
    * Add rid idmapping (replacing existing idmap)
    * Additional debug for Hello auth
    * Make proto Cargo.toml a physical file
    * Push the clippy arg count limit a little higher
    * Version 0.3.0
    * Windows Hello PIN implementation
    * deps(rust): update hostname requirement from ^0.3.1 to ^0.4.0
    * Enable actions on stable branches
    * Prevent dependabot from updating opentelemetry
    * Revert "deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)"
    * deps(rust): update reqwest requirement from ^0.11.18 to ^0.12.2 (#95)
    * deps(rust): update lru requirement from ^0.8.0 to ^0.12.3 (#94)
    * deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)
    * deps(rust): update num_enum requirement from ^0.5.11 to ^0.7.2 (#92)
    * deps(rust): update tonic requirement from 0.10.2 to 0.11.0 (#91)
    * Use the Kanidm MFA patches
    * deps(rust): update libnss requirement from 0.5.0 to 0.6.0 (#90)
    * deps(rust): update tracing-opentelemetry requirement (#89)
    * deps(rust): update rusqlite requirement from ^0.28.0 to ^0.31.0 (#88)
    * deps(rust): update clap requirement from ^3.2 to ^4.5 (#87)
    * deps(rust): update kanidm-hsm-crypto requirement from ^0.1.6 to ^0.2.0 (#86)
    * Update dependabot.yml
    * Add missing db dependency on sketching
    * Set the workspace resolver version to 2
    * Init the kanidm submodule during workflows
    * Ignore clippy blocks_in_conditions warning in daemon
    * Add build/clippy/dependabot_automerge workflows
    * deps(rust): update opentelemetry-otlp requirement from 0.13.0 to 0.15.0
    * deps(rust): update opentelemetry_sdk requirement from 0.20.0 to 0.22.1
    * deps(rust): update base64 requirement from ^0.21.5 to ^0.22.0
    * deps(rust): update notify-debouncer-full requirement from 0.1 to 0.3
    * deps(rust): update systemd-journal-logger requirement
    * Create dependabot.yml
    * Add MFA capabilities
    * Update to the latest Kanidm reqs
    * Always force MFA when enrolling the device
    * Update to latest msal
* Thu Feb 29 2024 dmulder@suse.com
  - Himmelblau provides the features found in aad-auth packages from
    other distros.
* Tue Feb 20 2024 dmulder@suse.com
  - Update to version 0.2.0+git.4.904b915:
    * Update to latest msal
    * Version 0.2.0
    * Himmelblau now authenticates only to configured domains
    * Remove reference to python-msal dep in README
    * Use the external MSAL crate for auth
    * Rename msal in prep for external msal crate
    * msal: Remove python msal bindings
    * msal: Rust msal
    * Point Cargo.toml to new project home
    * config: Write domain join to server specific config
    * idprovider: Invalidate cached user if PRT req fails
    * idprovider: Pass the keystore to the auth function
    * Update daemon from kanidm
    * test: Add a pause to ensure tasks daemon sees himmelblau
    * Update kanidm submodule
    * config: Include domain sections in configured domains
    * msal: Add acquire_token_by_refresh_token
    * enrollment: Authentication fixes
    * tests: Create the hsm-pin directory
    * idprovider: Add domain join debug
    * cargo: Use relative paths and remove most symlinks
    * idprovider: Allow group search when device is authenticated
    * msal: Move the application reqs from misc to msal::application
    * msal: Move user reqs from misc to msal::user
    * Remove duplicates from allow_groups during enrollment
    * Remove device enrollment from TODO
    * Implement Device enrollment
    * enrollment: Add the nonce service request
    * enrollment: Add enrollment service discovery
    * Implement ConfidentialClientApplication for enrollment
    * daemon: Fix inverted logic on cache dir check
    * nss: Use upstream nss package
    * idprovider: Provider auth needs to point to just the host
    * config: Consistently use the config file provided to the daemon
    * cargo: Use relative paths and remove most symlinks
    * clippy: Add kanidm's clippy config
    * config: Only check for tenant_id, authority, graph if necessary
    * Update README.md
    * Update version to 0.1.2
    * config: Fix typos in the config file
    * Make most params to acquire_token_interactive optional
    * Config can take defaults
    * cli: Add missing cli opt file
    * cli: Improve aad-tool options and interface
    * Update README.md
    * tests: Fix tasks daemon name typo
    * Remove MFA from TODO
* Fri Dec 22 2023 dmulder@suse.com
  - Update to version 0.1.1+git.10.4aa76b7:
    * daemon: Fix inverted logic on cache dir check
    * nss: Use upstream nss package
    * idprovider: Provider auth needs to point to just the host
    * config: Consistently use the config file provided to the daemon
    * cargo: Use relative paths and remove most symlinks
    * clippy: Add kanidm's clippy config
    * config: Only check for tenant_id, authority, graph if necessary
    * Correct the cargo version
* Mon Nov 13 2023 dmulder@suse.com
  - Update to version 0.1.1+git.0.6d2f645:
    * config: Remove comments about experimental policy enforement
    * config: Fix typos in the config file
* Tue Sep 26 2023 Jan Engelhardt <jengelh@inai.de>
  - Reduce size of expanded scriptlets by reducing %service_* calls
  - Wrap descriptions
* Thu Sep 14 2023 david.mulder@suse.com
  - Update to version 0.1.0+git.2.2391ac0:
    * Update version to 0.1.0
    * Update the README
    * idprovider: Fix mixed case auth failure
    * daemon: Port daemon changes from kanidm
    * provider: Skip provider init on silent auth and offline
    * daemon: Run himmelblaud as non-root dynamic user
* Tue Sep 12 2023 david.mulder@suse.com
  - Update to version 0.0.4+git.50.112df77:
    * Always match DAG where present
    * Prohibit authentication with changing IDs
* Fri Sep 08 2023 david.mulder@suse.com
  - Update to version 0.0.4+git.42.d641c8b:
    * Run cargo fmt and cargo clippy
    * Implement DeviceAuthorizationGrant for MFA
    * test: Initialize the pam_allow_groups with users
    * Use new pam state machine in himmelblau
    * Remove the non-functional device enrollment
    * TODO: New details regarding MS auth cache
    * daemon: Implement pam allow groups
    * Code rearrangement
* Thu Aug 10 2023 dmulder@suse.com
  - Update to version 0.0.4+git.30.26c26e7:
    * aad-tool: Disable enrollment by default
    * provider: Fetch GECOS from old token on silent acquire
    * msal: Add bindings for device auth flow
    * Add debug for local user ignore
    * provider: Only retry auth if we're sure group read was requested
    * provider: Provide user token refresh
    * provider: Cause unix_group_get to respond with BadRequest
    * provider: Implement provider_authenticate
* Tue Aug 08 2023 dmulder@suse.com
  - Update to version 0.0.4+git.9.a7c5ac2:
    * osc breaks with workspace errors using symlinks
    * gp: Disable MDM policies by default
* Mon Aug 07 2023 dmulder@suse.com
  - Update to version 0.0.4+git.3.b500f1f:
    * Update serde version
    * Update version to 0.0.4
    * Only build necessary bits of kanidm proto
    * Add cache operations to daemon and aad-tool
    * tests: Include local cache of rust deps
    * cache: Use the kanidm cache backend
* Mon Jul 31 2023 dmulder@suse.com
  - Update to version 0.0.3+git.10.761b4d2:
    * gp: Apply chromium policies
    * gp: Implement Group Policy object listing
    * test: Fix build test failure
    * tests: Return the correct error code from tests
    * test: Separate project build from docker build
    * tests: Deploy config when testing
* Tue Jul 18 2023 dmulder@suse.com
  - Update to version 0.0.3+git.3.f0883b1:
    * nss: Fix misaligned pointer dereference errors
    * Fix code links
* Mon Jul 17 2023 dmulder@suse.com
  - Update to version 0.0.3+git.1.e6847eb:
    * Revert "nss: Use kanidm nss code"
    * Update lib versions to match package version
    * Shallow clone kanidm for pam/nss
    * tests: Fix tar recursion
* Fri Jul 14 2023 dmulder@suse.com
  - Update to version 0.0.2+git.22.1c3ce4b:
    * Remove symlinks and just point to kanidm sources
    * nss: Use kanidm nss code
    * Add submodule commands to main Makefile
    * pam: Use kanidm pam code, glue into himmelblau
    * TODO: Only auth to configured domains
* Mon Jul 10 2023 dmulder@suse.com
  - Update to version 0.0.2+git.15.d42b114:
    * aad-tool: Enroll via the daemon
    * config: Add func for requesting configured socket path
    * aad-tool: Improve enroll options
* Mon Jul 10 2023 dmulder@suse.com
  - Update to version 0.0.2+git.11.91df240:
    * daemon: Add a systemd service
    * daemon: Don't request group read scope if using Intune
    * TODO: Mention the work needed for the cache
    * README: Include homedir creation instructions
    * daemon: If auth fails, indicate the user
* Fri Jul 07 2023 dmulder@suse.com
  - Update to version 0.0.2+git.6.de1afd6:
    * test: Ensure invalid users aren't cached
    * test: Skip getent group tests failing due to nss issue
    * tests: Add nss tests
    * tests: Test pam auth
    * msal: Allow fetching auth url
* Wed Jun 28 2023 dmulder@suse.com
  - Update to version 0.0.2+git.0.5bfbedd:
    * cache: Make the cache persistent
    * TODO: Cannot fudge an initial nss request
    * Use tracing for debug instead of log
    * aad-tool: Fix some build warnings
    * aad-tool: Add TODO comments regarding enrollment issues
    * aad-tool: Always use interactive enrollment
    * fix readme
    * aad-tool: Save the device_id after enrollment
    * aad-tool: Cannot enroll in Intune Portal directly
    * aad-tool: Parse the enrollment response
    * aad-tool: Add a enroll command for Azure AD device
    * memcache: Only append existing group member if missing
    * himmelblaud: Fix login when Intune errors on group read
    * memcache: Create a memcache for user and group caching
    * TODO: Group memberships
    * TODO: NSS requests via GET reqs
    * config: Include default for authority_host
    * config: Specify constants for defaults
    * Cleanup the build depencencies
    * TODO: Fix the headings
    * TODO: Add major reqs section
    * Cause the odc provider to supply the authority_host
    * TODO: Use tracing module
    * Include offline logon in todo list
    * Add a TODO list
    * Discover the tenant_id in the same manner as Intune
    * himmelblaud: Debug for unknown user/group
    * himmelblaud: Fix failure to cache user
    * himmelblaud: Pam Allowed and Sessions stubs
    * himmelblaud: Implement NssGroupByGid and NssAccountByUid
    * himmelblaud: Implement group lookups
    * Include the gecos in the mem cache
    * Use config for shell, homedir, uid range, tenant
    * Improve Developer Readme
    * config: Config should not default app_id
    * Remove invalid comment
    * himmelblaud: Return with failure without tenant_id
    * config: Move the config to unix_common module
    * himmelblaud: Make the socket path configurable
    * himmelblaud: Use Intune portal when app_id unset
* Fri Jun 02 2023 dmulder@suse.com
  - Update to version 0.0.1+git.15.f9a024e:
    * Generate unix uid/gid
    * himmelblaud: Stubs for NssGroupByName and NssGroups
    * himmelblaud: Fix auth failure error message
    * himmelblaud: Open socket with permissions for users to read/write
    * msal: Fix nssaccountbyname lookup
    * himmelblaud: Improve logging
    * Include systemd journal logging
    * msal: Fix failure parsing user token dict
    * Implement simple NssAccountByName
    * Implement basic NssAccounts request
    * pam: Fix unused variable warning
    * himmelblaud: Rewrite the daemon in Rust
    * msal: Add a simple rust binding to python msal
    * Remove the python daemon in favor of Rust
* Fri May 26 2023 dmulder@suse.com
  - Update to version 0.0.1+git.0.56eb9f0:
    * himmelblaud: Implement nss lookups in the daemon
    * himmelblaud: Allow anyone to r/w the socket
    * himmelblaud: Implement simple nss getpwent name
    * pam: Remove account allowed and being session impl
    * unix_common: UID and GID need not match
    * himmelblaud: Improve the debug output
    * himmelblaud: Remove stdout debug since logging to journald
    * himmelblaud: Log to the systemd journal
    * nss: Add the nss module
    * Improve directory structure

Files

/etc/firefox
/etc/firefox/policies
/etc/firefox/policies/policies.json
/usr/bin/linux-entra-sso
/usr/lib64/mozilla
/usr/lib64/mozilla/native-messaging-hosts
/usr/lib64/mozilla/native-messaging-hosts/linux_entra_sso.json


Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Oct 25 22:33:49 2025