Package sssd: Information

- Update to latest 2.9 major release.
  + KCM: provide mechanism to purge expired credentials.
  + Default hardening - id_provider channel defaults unencrypted with starttls.
  + sssd-sudo missing debug statement in its .service file.
  + SSSD goes offline during initgroups of trusted user if a group is
    missing SID.
  + Incorrect handling of reverse IPv6 update results in update failure.
  + sssd-2.9.2 breaks smart card authentication (on el8).
- The proxy provider is now able to handle certificate mapping and matching
  rules and users handled by the proxy provider can be configured for local
  Smartcard authentication.
- Passkey doesn't fail when using FreeIPA server-side authentication and
  require-user-verification=false.
- When adding a new credential to KCM and the user has already reached their
  limit, the oldest expired credential will be removed to free some space.

- Update to latest 2.9 major release.
- sss_simpleifp library removed due it deprecated.
- "Files provider" removed due it deprecated, using "Proxy provider" with
  proxy_lib_name = files instead.
- New passkey functionality, which will allow the use of FIDO2 compliant devices
  to authenticate a centrally managed user locally.
- Default value of cache_first option was changed to true.
- sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user.
- certmap: Handle type change of x400Address (due to CVE-2023-0286).
- New option local_auth_policy is added to control which offline authentication
  methods will be enabled by SSSD.
- SSSD can be configured not to perform a DNS search during DNS name resolution.
  This behavior is governed by the new dns_resolver_use_search_list in the
  domain section. Default value is true (follows the system settings).

- NMU: Backport upstream commit to fix build with krb5 1.21*