The FreeIPA team is proud to announce version FreeIPA v3.1.3.
It can be downloaded from http://www.freeipa.org/page/Downloads.
This release includes backport of selected (mainly Trust related) features from upcoming FreeIPA 3.2.0 release. The following 3.1.x releases will contain primarily bugfixes only.
Highlights in 3.1.3#
New features#
New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page.
New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install)
New realmdomains-show and realmdomains-mod command. Manage list of domains managed by FreeIPA server. The list will be used in future releases to inform trusted domain about domains managed by FreeIPA. This feature is available both as a CLI command and Web UI page.
Support trusted domain users in HBAC test command (hbactest command).
Allow filtering incoming trusted domain SIDs per-trust (trust-mod command).
Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format.
Bug fixes#
Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances.
Migration process is now also a lot faster and provides more debug output (to httpd error log).
SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance.
Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
Fixed server installation with external CA (–external-ca)
Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help)
… and many others stabilization fixes, see Detailed changelog for full details
Upgrading#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users
Detailed Changelog since 3.1.2#
Alexander Bokovoy (2):
ipasam: use base scope when fetching domain information about own domain
Process exceptions when talking to Dogtag
Ana Krivokapic (6):
Take into consideration services when deleting replicas
Add list of domains associated to our realm to cn=etc
Remove check for alphabetic only characters from domain name validation
Fix internal error for ipa show-mappings
Realm Domains page
Use default NETBIOS name in unattended ipa-adtrust-install
Jakub Hrozek (1):
Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
Jan Cholasta (6):
Pylint cleanup.
Raise ValidationError on invalid CSV values.
Run interactive_prompt callbacks after CSV values are split.
Fix remove while iterating in suppress_netgroup_memberof.
Remove disabled entries from sudoers compat tree.
Fix internal error in output_for_cli method of sudorule_{enable,disable}.
Martin Kosek (33):
Fix migration for openldap DS
Remove unused krbV imports
Use fully qualified CCACHE names
Fix permission_find test error
Add trusconfig-show and trustconfig-mod commands
ipa-kdb: add sentinel for LDAPDerefSpec allocation
ipa-kdb: avoid ENOMEM when all SIDs are filtered out
ipa-kdb: reinitialize LDAP configuration for known realms
Add SID blacklist attributes
ipa-kdb: read SID blacklist from LDAP
ipa-sam: Fill SID blacklist when trust is added
ipa-adtrust-install should ask for SID generation
Test NetBIOS name clash before creating a trust
Generalize AD GC search
Do not hide SID resolver error in group-add-member
Add support for AD users to hbactest command
Fix hbachelp examples formatting
ipa-kdb: remove memory leaks
ipa-kdb: fix retry logic in ipadb_deref_search
Add autodiscovery section in ipa-client-install man pages
Avoid internal error when user is not Trust admin
Use fixed test domain in realmdomains test
Remove ORDERING for IA5 attributeTypes
Fix includedir directive in krb5.conf template
Preserve order of servers in ipa-client-install
Avoid multiple client discovery with fixed server list
Fix client discovery crash
ipa-client discovery with anonymous access off
Use temporary CCACHE in ipa-client-install
Improve client install LDAP cert retrieval fallback
Configure ipa_dns DS plugin on install and upgrade
Bump selinux-policy requires
Become 3.1.3
Petr Spacek (1):
Add 389 DS plugin for special idnsSOASerial attribute handling
Petr Viktorin (23):
Add the CA cert to LDAP after the CA install
Port ipa-replica-prepare to the admintool framework
Don’t add another nsDS5ReplicaId on updates if one already exists
Improve `ipa –help` output
Print help to stderr on error
Store the OptionParser in the API, use it to print unified help messages
Simplify `ipa help topics` output
Add command summary to `ipa COMMAND –help` output
Mention `ipa COMMAND –help` as the preferred way to get command help
Parse command arguments before creating a context
Add tests for the help command & –help options
In topic help text, mention how to get help for commands
Check SSH connection in ipa-replica-conncheck
Use ipauniqueid for the RDN of sudo commands
Prevent a sudo command from being deleted if it is a member of a sudo rule
Update sudocmd ACIs to use targetfilter
Add the version option to all Commands
Add ipalib.messages
Add client capabilities, enable messages
Rename the “messages” Output of the i18n_messages command to “texts”
Fix permission validation and normalization in aci.py
cli: Do interactive prompting after a context is created
Fix installing server with external CA
Petr Vobornik (36):
Make confirm_dialog a base class of revoke and restore certificate dialogs
Make confirm_dialog a base class for deleter dialog
Make confirm_dialog a base class for message_dialog
Confirm mixin
Confirm adder dialog by enter
Confirm error dialog by enter
Focus last dialog when some is closed
Confirm association dialogs by enter
Standardize login password reset, user reset password and host set OTP dialogs
Focus first input element after ‘Add and Add another’
Enable mod_deflate
Use Uglify.js for JS optimization
Dojo Builder
Config files for builder of FreeIPA UI layer
Minimal Dojo layer
Web UI development environment directory structure and configuration
Web UI Sync development utility
Move of Web UI non AMD dep. libs to libs subdirectory
Move of core Web UI files to AMD directory
Update JavaScript Lint configuration file
AMD config file
Change Web UI sources to simple AMD modules
Updated makefiles to build FreeIPA Web UI layer
Change tests to use AMD loader
Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
Develop.js extended
Allow to specify modules for which builder doesn’t raise dependency error
Web UI build profile updated
Combobox keyboard support
Fix dirty state update of editable combobox
Fix handling of no_update flag in Web UI
Web UI: configurable SID blacklists
Web UI:Certificate pages
Web UI:Choose different search option for cert-find
Added Web UI support for service PAC type option: NONE
Load extension.js after UI AMD modules.
Rob Crittenden (10):
Make certmonger a (pre) requires on server, restart it before upgrading
Use new certmonger locking to prevent NSS database corruption.
Better logging for AdminTool and ipa-ldap-updater
Improve migration performance
Add LDAP server fallback to client installer
Prevent a crash when no entries are successfully migrated.
Implement the cert-find command for the dogtag CA backend.
Add missing v3 schema on upgrades, fix typo in schema.
Don’t base64-encode the CA cert when uploading it during an upgrade.
Improve some error handling in ipa-replica-manage
Sumit Bose (7):
ipa-kdb: remove unused variable
ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()
ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()
ipa-kdb: Dereference after null check in ipa_kdb_mspac.c
ipa-lockout: Wrong sizeof argument in ipa_lockout.c
ipa-extdom: Double-free in ipa_extdom_common.c
ipa-pwd: Unchecked return value ipapwd_chpwop()
Tomas Babej (13):
Fix a typo in ipa-adtrust-install help
Prevent integer overflow when setting krbPasswordExpiration
Add option to specify SID using domain name to idrange-add/mod
Prevent changing protected group’s name using –setattr
Use default.conf as flag of IPA client being installed
Make sure appropriate exit status is returned in make-test
Make options checks in idrange-add/mod consistent
Add trusted domain range objectclass when using idrange-mod
Perform secondary rid range overlap check for local ranges only
Make sure uninstall script prompts for reboot as last
Remove implicit Str to DN conversion using *-attr
Enforce exact SID match when adding or modifying a ID range
Add logging to join command
sbose (1):
ipa-kdb: Free talloc autofree context when module is closed