Major release removing LDAP support
Added:
* Service and non-service users may use the same Unix UID range
* CLI commands for managing users, groups and roles
* 2FA status of users is visible in admin interface
* Database-stored service objects that group OAuth2 and API clients
together
Removed:
* Support for old invite, selfservice and signup links (deprecated in
v1.1.1)
* ENABLE_INVITE, ENABLE_PASSWORDRESET, ENABLE_ROLESELFSERVICE config
options
Changed:
* User, group and mail alias data is stored in the database instead
of an LDAP server. Existing objects are imported. All LDAP support
is removed.
* Receive addresses of mail aliases are subject to alphabet
constraints and converted to lower-case on import
* Group names are subject to alphabet and length constraints
* OAuth2 clients
* Removed parameter "login_message"
* Parameter "group_required" no longer supports AND/OR conjunctions
of multiple groups, only a single group name
* Clients defined with OAUTH2_CLIENTS config option moved to
database. Existing clients are imported.
* Service name is displayed in place of the client_id during device
login
* OAuth2 userinfo endpoint no longer exposes "ldap_dn"
* API clients
* Removed API_CLIENTS config option (deprecated in v1.2.0)
* Clients defined with API_CLIENTS_2 config option moved to
database. Existing clients are imported.
* Argon2 replaces salted SHA256 for hashing user passwords. Existing
passwords are gradually migrated on login. Argon2 has a significant
impact on CPU and memory utilization.
* Default UWSGI config uses multiple workers
* Enabled foreign key support for SQLite
* Expired objects are no longer deleted during request processing.
Instead the CLI command "cleanup" must be run at least daily. The
Debian package includes a cron job for this.
* Environment variable CONFIG_PATH superseds CONFIG_FILENAME
* The default value of config option ACL_ACCESS_GROUP changed
See UPGRADE.md for detailed upgrade instructions.