IPAv2 2190 alpha2

The FreeIPA team is proud to announce version 2.1.90 alpha 2. This will eventually become FreeIPA v2.2.0.

It can be downloaded from http://www.freeipa.org/Downloads or from our development repo (http://freeipa.org/downloads/freeipa-devel.repo). Fedora 15, 16 and 17 builds are available.

For Fedora 17 users the the required version of 389-ds-base has not been pushed to updates-testing yet. You can retrieve it manually from http://koji.fedoraproject.org/koji/buildinfo?buildID=299543 or download the packages with:

# koji download-build 299543

Alpha 1 was an unannounced release that formed the basis of the first Fedora 17 package. It was not well-tested, particularly for upgrades, which is why it wasn't announced at the time. It was released to meet Fedora 17 package deadlines.

Highlights in 2.1.90 alpha 2

• A new KDC LDAP backend, ipa-kdb. This simplifies our set up code and will is a big piece of future MS PAC support. It also removes the need for the separate ipa_kpasswd daemon, kadmind is used instead.
• Support for storing SSH user and host public keys.
• SELinux user map rules. These let you set the SELinux context for users in an HBAC rule.
• Improved DNS UI and command-line with vastly improved argument handling.
• UI screens for Automember were added.
• Session support in the Web UI. This removes the need to do Kerberos negotiation with every request significantly improving Web UI performance.
• Support for S4U2Proxy. This is a Kerberos feature which allows a delegated service (HTTP in our case) to request a ticket (ldap) on a user's behalf. We no longer require the TGT to be delegated to the server. A forwardable TGT is still required.
• Improved command-line performance. It is approximately 50% faster.
• MAC address has been added to hosts.

Upgrading

We tested upgrades from 2.1.4 successfully but this is alpha code. We do not recommend upgrading a production server.

Installing updated rpms is all that is required to upgrade from 2.1.4.

It is unlikely that downgrading to a previous release once 2.1.90 is installed will work.

Feedback

Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel

Detailed Changelog since 2.1.4

Adam Young (4):

• remove enrolled column
• Add priority to pwpolicy list
• Remove delegation from browser config
• ignore generated services file.

Alexander Bokovoy (14):

• Re-enable web password migration on Fedora 16 after SE Linux policy restrictions
• Check for Python.h during build of py_default_encoding extension
• Add configure check for libintl.h
• Create directories for client install
• Add "Extending FreeIPA" developer guide
• Small fix to the guide CSS: enable vertical scroll bar
• Rename included snippets to avoid problems with pylint
• Fix dependency for samba4-devel package
• Check through all LDAP servers in the domain during IPA discovery
• Validate sudo RunAsUser/RunAsGroup arguments
• Allow hbactest to work with HBAC rules exceeding default IPA limits
• Add management of inifiles to allow manipulation of systemd units
• Handle upgrade issues with systemd in Fedora 16 and above
• Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore

Endi S. Dewata (60):

• Updated DNS zone details page.
• Replaced description text fields with text areas.
• Use editable combobox for service type.
• Added confirmation when adding multiple entries.
• Added selectable labels for radio buttons.
• Fixed dependency problem in UI test.
• Fixed inconsistent required/optional attributes.
• Fixed host Enrolled column.
• Fixed problem clearing validation error on checkboxes.
• Fixed "enroll" labels.
• Merged widget's metadata and param_info.
• Refactored validation code.
• Fixed inconsistent image names.
• Fixed inconsistent details facet validation.
• Added password field in user adder dialog.
• Fixed blank krbtpolicy and config pages.
• Moved facet code into facet.js.
• Added extensible UI framework.
• Fixed problem changing page in association facet.
• Updated sample data.
• Added paging on search facet.
• Refactored permission target section.
• Removed develop.js.
• Added commands into metadata.
• Removed HBAC rule type.
• Removed HBAC deny rule warning.
• Refactored entity object resolution.
• Fixed ipa.js for sessions.
• Fixed entity definition in test cases.
• Added support for radio buttons in table widget.
• Fixed entity metadata resolution.
• Refactored facet.load().
• Added HBAC Test page.
• Fixed navigation buttons for HBAC Test.
• Fixed search filter in HBAC Test.
• Added external fields for HBAC Test.
• Fixed CSS for HBAC Test
• Fixed I18n labels for HBAC Test
• Fixed matched/unmatched checkboxes in HBAC Test
• Added HBAC Test input validation.
• Fixed problem loading DNS records.
• Fixed unmatched checkbox name.
• Fixed combobox icon position.
• Fixed combobox search icon position.
• Reload UI when the user changes.
• Reload UI on server upgrade.
• Added account status into user search facet.
• Added policies into user details page.
• Load user data and policies in a single batch.
• Added instructions to generate CSR.
• Fixed problem removing automount keys and DNS records.
• Enabled paging on self-service permissions and delegations.
• Enabled paging on automount keys.
• Show disabled entries in gray.
• Fixed inconsistent status labels.
• Fixed host managed-by adder dialog.
• Added icons for status column.
• Hide Add/Delete buttons in self-service mode.
• Use fixed font when displaying certificate.
• Show password expiration date.

JR Aquino (1):

• Replication: Adjust replica installation to omit processing memberof computations

Jan Cholasta (15):

• Finalize plugin initialization on demand.
• Don't leak passwords through kdb5_ldap_util command line arguments.
• Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
• Fix make-lint crash under certain circumstances.
• Fix attempted write to attribute of read-only object.
• Add LDAP schema for SSH public keys.
• Add LDAP ACIs for SSH public key schema.
• Add support for SSH public keys to user and host objects.
• Add API initialization to ipa-client-install.
• Move the nsupdate functionality to separate function in ipa-client-install.
• Update host SSH public keys on the server during client install.
• Configure ssh and sshd during ipa-client-install.
• Base64-decode unicode values in Bytes parameters.
• Add SSH service to platform-specific services.
• Move the compat module from ipalib to ipapython.

John Dennis (10):

• If "make rpms" fails so will the next make
• Remove old RPMROOT contents before it is used for rpmbuild
• update i18n pot file for branch ipa-2-1
• Add log manager module
• modify codebase to utilize IPALogManager, obsoletes logging
• IPAdmin undefined anonymous parameter lists
• subclass SimpleLDAPObject
• Restore default log level in server to INFO
• Add ipa_memcached service
• add session manager and cache krb auth

Marko Myllynen (1):

• include <stdint.h> for uintptr_t

Martin Kosek (52):

• Add connection failure recovery to IPAdmin
• Make sure that install tools log
• Add --zonemgr/--admin-mail validator
• Create pkey-only option for find commands
• Allow custom server backend encoding
• Fix DNS zone --allow-dynupdate option behavior
• Improve DNS record data validation
• Polish ipa config help
• Hosts file not updated when IP is passed as option
• Fix API.txt
• Fix LDAP object parameter encoding
• Remove redundant information from API.txt
• Fix coverity issues in client CLI tools
• Make ipa-server-install clean after itself
• Add --delattr option to complement --setattr/--addattr
• Improve zonemgr validator and normalizer
• Change default DNS zone manager to hostmaster
• Fix config migration option
• Ask for user confirmation in ipa-server-install
• Add DNS check to conncheck port probe
• Refactor dnsrecord processing
• Fix Parameter csv parsing
• Improve CLI output for complex commands
• Create per-type DNS API
• Fix maxvalue in DNS plugin
• Fix LDAP add calls in replication module
• Prevent service restart failures in ipa-replica-install
• Fix LDAP updates in ipa-replica-install
• Let replicas install without DNS
• Restore ACI when aci_mod fails
• Add missing --pkey-only option for selfservice and delegation
• Replace float with Decimal
• Improve host-add error message
• Fix ipa-server-install for dual NICs
• Fix selfservice-find crashes
• Mark optional DNS record parts
• Fix ldap2 combine_filters for ldap2.MATCH_NONE
• Add missing managing hosts filtering options
• Improve netgroup-add error messages
• Fix TXT record parsing
• Fix NSEC record conversion
• Add SRV record target validator
• Add data field for A6 record
• Improve dnszone-add error message
• Improve migration help
• Fix raw format for ACI commands
• Improve password change error message
• Remove debug messages
• Add argument help to CLI
• Return proper DN in netgroup-add
• Remove unused options from ipa-managed-entries
• Add Petr Viktorín to Contributors.txt

Ondrej Hamada (9):

• Misleading Keytab field
• Sort password policy by priority
• Client install checks for nss_ldap
• User-add random password support
• HBAC test optional sourcehost option
• localhost.localdomain clients refused to join
• Leave nsds5replicaupdateschedule parameter unset
• Fix 'no-reverse' option description
• Memberof attribute control and update

Petr Viktorin (5):

• Switch --group and --membergroup in example for delegation
• Fix/add options in ipa-managed-entries man page
• Honor default home directory and login shell in user_add
• Clean up i18n strings
• Internationalization for HBAC and ipalib.output

Petr Voborník (55):

• Circular entity dependency
• Fixed: Duplicate CSS definitions
• Fixing infinite loop in UI navigation unit test.
• Minor visual enhancement of required indicator
• Page is cleared before it is visible
• Field for DNS SOA class changed to combobox with options
• Extending facet's mechanism of gathering changes
• Added cross browser support of Array.indexOf method
• Splitting widget into widget and field
• Splitting basic widgets into visual widgets and fields
• Improved fields dirty status detection logic
• Builders and collections for fields and widgets
• Removing sections as special type of object
• Added possibility to define facet/dialog specific policies
• Modifying users to work with new concept
• Modifying hosts to work with new concept
• Modifying dns to work with new concept
• Modifying services to work with new concept
• Separation of writable update from field load method
• Modifying ACI to work with new concept
• Modifying groups to work with new concept
• Code cleanup of HBAC, Sudo rules
• Changing definition of basic fields in section from factory to type
• Modifying automount to work with new concept
• Fixed unit tests after widget refactoring
• Removed usage of bitwise assignment operators in logical operations
• Search facets show translated boolean values
• Better displaying of long names in tables and facet headers
• Additional better displaying of long names
• Reordered facets in ACI
• Association facets are read only in self service
• Added facet tabs coloring
• Fixed displaying of external records in rule association widgets
• Distinguishing of external values in association tables
• Better table column width computing
• Fixed labels in Sudo, HBAC rules
• Parsing of IPv4 and IPv6 addresses
• Added support of custom field validators
• Added validation logic to multivalued text field
• Added client-side validation of A and AAAA DNS records
• Fixed IPv6 validation special case: single colon
• Added support for memberof attribute in permission
• Added IP address validator to Host and DNS record adder dialog
• Fixed entity link disabling
• UI for SELinux user mapping
• Added refresh button for UI
• Modifying DNS UI to benefit from new DNS API
• Added paging to DNS record search facet
• Navigation and redirection to various facets
• Automember UI
• Automember UI - default groups
• Automember UI - Fixed I18n labels
• Removed question marks from field labels
• UI support for ssh keys
• Redirection to PTR records from A,AAAA records

Rob Crittenden (54):

• Use absolute paths when trying to find certmonger request id.
• Reorder privileges so that memberof for permissions are generated properly.
• Fix some pylint issues found in F-16
• Fix two typos in role help.
• Move ONLY_CLIENT in spec so services.py always gets generated in %install
• Remove calls to has_managed_entries()
• Fix copy/paste error in parameter description.
• Add Ondrej Hamada to Contributors.txt
• Don't check for 389-instances.
• Clarify usage of --posix argument in group plugin.
• Add plugin framework to LDAP updates.
• Fix some issues introduced when rebasing update patch
• Mark some attributes required to match the schema.
• Add SELinux user mapping framework.
• Display the value of memberOf ACIs in permission plugin.
• Set minimum version of 389-ds to 1.2.10-0.5.a5
• Fix typos in in 60basev3.ldif
• Remove include for errno.h that was specific to 2.1 branch
• Remove ipa_get_random_salt() from ipapwd_encoding.c
• update i18n pot file for branch ipa-2-2
• Remove buffer log handling.
• Configure s4u2proxy during installation.
• Document the ping plugin.
• Catch exception when trying to list missing managed entries definitions
• Fix some typos in automember help and paramters.
• Add labels so HBAC and Sudo rules show under hosts/hostgroups.
• Use correct template variable for hosts, FQDN.
• In sudo when the category is all do not allow members, and vice versa.
• Update and package ipa-upgradeconfig man page.
• Fix deletion of HBAC Rules when there are SELinux user maps defined
• Add support for storing MAC address in host entries.
• Don't try to bind on TLS failure
• Check for the existence of a replication agreement before deleting it.
•  %ghost the UI files that we install/create on the fly
• Make submount automount maps work.
• Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
• Consolidate external member code into two functions in baseldap.py
• Make ipaconfigstring modifiable by users.
• Don't use sets when calculating the modlist so order is preserved.
• Add update files for SELinuxUserMap
• Add update file for new schema in v2.2/3.0
• Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
• Don't set delegation flag in client, we're using S4U2Proxy now
• Update S4U2proxy delegation list when creating replicas
• Correct update syntax in 30-s4u2proxy.update
• Remove Apache ccache on upgrade.
• Add S4U2Proxy delegation permissions on upgrades
• Disable false pylint error in freeipa-systemd-upgrade
• Enable ipa_memcached when upgrading
• Configure ipa_memcached when a replica is installed.
• Use FQDN in place of FQHN for consistency in sub_dict.
• Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.

Simo Sorce (77):

• Fix build warnings
• ipa-pwd_extop: use endian.h instead of nih function
• krbinstance: use helper function to get realm suffix
• ipa-pwd-extop: Remove unused variables and code to set them
• ipa-pwd-extop: do not append mkvno to krbExtraData
• ipa-pwd-extop: Use the proper mkvno number in keys
• ipa-pwd-extop: re-indent code using old style
• ipa-pwd-extop: Use common krb5 structs from kdb.h
• ipa-pwd-extop: Move encryption of keys in common
• ipa-pwd-extop: Move encoding in common too
• ipa-pwd-extop: make encsalt parsing function common
• ipa-kdb: Initial plugin skeleton
• ipa-kdb: add exports file
• ipa-kdb: initialize module functions
• ipa-kdb: implement get_time function
• ipa-kdb: add common utility ldap wrapper functions
• ipa-kdb: functions to get principal
• ipa-kdb: add function to free principals
• ipa-kdb: add functions to delete principals
• ipa-kdb: add function to iterate over principals
• ipa-kdb: add functions to change principals
• ipa-kdb: Get/Store Master Key directly from LDAP
• ipa-kdb: implement function to retrieve password policies
• ipa-kdb: implement change_pwd function
• util: add password policy manipulation functions
• ipa-pwd-extop: Use common password policy code
• ipa-kdb: add password policy support
• ipa-pwd-extop: Allow kadmin to set krb keys
• ipa-kdb: Change install to use the new ipa-kdb kdc backend
• install: Remove uid=kdc user
• ipa-kdb: Be flexible
• install: Use proper case for boolean values
• daemons: Remove ipa_kpasswd
• schema: Split ipadns definitions from basev2 ones
• v3-schema: Add new ipaExternalGroup objectclass
• install: We do not need a ldap password anymore
• install: We do not need a kpasswd keytab anymore
• ipa-kdb: Properly set password expiration time.
• conncheck: Additional check to verify the admin password is ok
• ipa-kdb: Fix expiration time calculation
• ipa-kdb: Fix legacy password hashes generation
• ipa-kdb: Fix memory leak
• Fix CID 10742: Unchecked return value
• Fix CID 10743: Unchecked return value
• Fix CID 10745: Unchecked return value
• Fix CID 11019: Resource leak
• Fix CID 11020: Resource leak
• Fix CID 11021: Resource leak
• Fix CID 11022: Resource leak
• Fix CID 11023: Resource leak
• Fix CID 11024: Resource leak
• Fix CID 11025: Resource leak
• Fix CID 11026: Resource leak
• Fix CID 11027: Wrong sizeof argument
• Add support for generating PAC for AS requests for user principals
• MS-PAC: Add support for verifying PAC in TGS requests
• Modify random salt creation for interoperability
• Amend #2038 fix
• Add missing copyright header
• ipa-kdb: Support re-signing PAC with different checksum
• spec: We do not need krb5-server-ldap anymore
• ipa-kdb: fix free() of uninitialized var
• ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles
• ipa-kdb: fix memleaks in ipa_kdb_mspac.c
• ipa-kdb: Fix copy and paste typo
• ipa-kdb: enhance deref searches
• ipa-kdb: Add delgation access control support
• ipa-kdb: return properly when no PAC is available
• ipa-kdb: Verify the correct checksum in PAC validation
• ipa-kdb: Create PAC's KDC checksum with right key
• Disable MS-PAC handling in 2.2
• Fix replication setup
• slapi-plugins: use thread-safe ldap library
• ipa-kdb: add AS auditing support
• ipa-kdb: Avoid lookup on modify if possible
• ipa-kdb: set krblastpwdchange only when keys have been effectively changed