The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We would like to welcome any early testers of this prerelase to provide us feedback and help us stabilize this feature release which we plan to release as final in the beginning of May 2013.
It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 Alpha, if it does not appear in your Fedora 19 yet, you can also download the build from koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=408311
Highlights in 3.2.0 Prerelease 1#
New features#
Support installing FreeIPA without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. [1]
New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page. [2]
New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install) [3]
Multiple FreeIPA servers can now be designated as Domain Controllers for trusts with Active Directory [12]
New realmdomains-show and realmdomains-mod command. Manage list of DNS domains associated with FreeIPA realm (realmdomains sommand). This list is primarily used by AD, which can pull all domains managed by FreeIPA and use that list for routing authentication requests for domains which do not match FreeIPA realm name. [4]
Support trusted domain users in HBAC test command (hbactest command).
Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5]
Configurable PAC type for services. Service commands can now configure a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service.
Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format. [6] [7]
UI now accepts confirmation of cancel of its dialogs via keyboard [11]
Client reenrollment. A host that has been recreated can now be reenrolled to FreeIPA server using a backed up host keytab or admin credentials [8]
Service and Host commands now provide options to add or remove selected Kerberos flags [9]
Prerelease 1 limitations#
List of DNS domains associated with FreeIPA realm currently only works with a special Samba build available for Fedora 18: http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get it working.
Test of trusted domain users in HBAC rules is accessible to only to members of ‘Trust Admins’ group due to privilege limitations
Same applies to any other trust-specific operations that require translation between user/group name and its security identifier (SID)
Bug fixes#
Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances.
Migration process is now also a lot faster and provides more debug output (to httpd error log).
SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance.
Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
Fixed server installation with external CA (–external-ca)
Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help)
New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial attribute for replicas which either do not have integrated DNS service enabled to which have disabled SOA serial autoincrement
LDAP lockout plugin has been fixed so that lockout policies are applied consistently both for LDAP binds and Kerberos authentication
… and many others stabilization fixes, see Detailed changelog for full details
Changes in API or CLI——————
Dropped –selfsign option#
FreeIPA servers prior to 3.2.0 could be installed with –selfsign option. This configured the server with a NSS database based Certificate Authority with a selfsigned CA certificate and limited certificate operation support.
This option was always intended for development or testing purposes only and was not intended for use in production. This release drops this option and deprecates the functionality. Current FreeIPA servers installed with –selfsigned option will still work, instructions on how to migrate to supported certificate options will be provided.
FreeIPA servers version 3.2.0 and later supports the following 2 flavors of certificate management:
FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (–external-ca option)
FreeIPA with no pki-ca installed with certificates signed and provided by an external CA [1]
Dropped CSV support#
FreeIPA client CLI supported CSV in some arguments so that multiple values could be added with just one convenient option:
ipa permission-add some-perm --permissions=read,write --attrs=sn,cn
ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2
CSV parsing however introduces great difficulty when trying to include a value with an embedded space in it. Escaping these values is not intuitive and made it very difficult to add such values. The level of effort in working around the CSV problems has come to the point where the benefits of it are outweighed by the problems which lead to decision to drop CSV support in CLI altogether [10].
There are several ways to workaround lack of CSV:
Provide an argument multiple times on the command-line:
ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn --attrs=cn
ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2
Let BASH do the expansion for you:
ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn}
ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2}
Upgrading#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Documentation#
Detailed Changelog since 3.1.0#
Alexander Bokovoy (7):
Update plugin to upload CA certificate to LDAP
ipasam: use base scope when fetching domain information about own domain
ipaserver/dcerpc: enforce search_s without schema checks for GC searching
ipa-replica-manage: migrate to single_value after LDAPEntry updates
Process exceptions when talking to Dogtag
ipasam: add enumeration of UPN suffixes based on the realm domains
Enhance ipa-adtrust-install for domains with multiple IPA server
Ana Krivokapic (10):
Raise ValidationError for incorrect subtree option.
Add crond as a default HBAC service
Take into consideration services when deleting replicas
Add list of domains associated to our realm to cn=etc
Improve error messages for external group members
Remove check for alphabetic only characters from domain name validation
Fix internal error for ipa show-mappings
Realm Domains page
Use default NETBIOS name in unattended ipa-adtrust-install
Add mkhomedir option to ipa-server-install and ipa-replica-install
Brian Cook (1):
Add DNS Setup Prompt to Install
JR Aquino (1):
Allow PKI-CA Replica Installs when CRL exceeds default maxber value
Jakub Hrozek (1):
Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
Jan Cholasta (24):
Pylint cleanup.
Drop ipapython.compat.
Add support for RFC 6594 SSHFP DNS records.
Raise ValidationError on invalid CSV values.
Run interactive_prompt callbacks after CSV values are split.
Add custom mapping object for LDAP entry data.
Add make_entry factory method to LDAPConnection.
Remove the Entity class.
Remove the Entry class.
Use the dn attribute of LDAPEntry to set/get DNs of entries.
Preserve case of attribute names in LDAPEntry.
Aggregate IPASimpleLDAPObject in LDAPEntry.
Support attributes with multiple names in LDAPEntry.
Use full DNs in plugin code.
Remove DN normalization from the baseldap plugin.
Remove support for DN normalization from LDAPClient.
Fix remove while iterating in suppress_netgroup_memberof.
Remove disabled entries from sudoers compat tree.
Fix internal error in output_for_cli method of sudorule_{enable,disable}.
Do not fail if schema cannot be retrieved from LDAP server.
Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.
Allow disabling attribute decoding in LDAPClient and IPAdmin.
Disable schema retrieval and attribute decoding when talking to AD GC.
Add Kerberos ticket flags management to service and host plugins.
John Dennis (2):
Cookie Expires date should be locale insensitive
Use secure method to acquire IPA CA certificate
Lynn Root (4):
Switch %r specifiers to ‘%s’ in Public errors
Added the ability to do Beta versioning
Fixed the catch of the hostname option during ipa-server-install
Raise ValidationError when CSR does not have a subject hostname
Martin Kosek (58):
Add Lynn Root to Contributors.txt
Enable SSSD on client install
Fix delegation-find command –group handling
Do not crash when Kerberos SRV record is not found
permission-find no longer crashes with –targetgroup
Avoid CRL migration error message
Sort LDAP updates properly
Upgrade process should not crash on named restart
Installer should not connect to 127.0.0.1
Fix migration for openldap DS
Remove unused krbV imports
Use fully qualified CCACHE names
Fix permission_find test error
Add trusconfig-show and trustconfig-mod commands
ipa-kdb: add sentinel for LDAPDerefSpec allocation
ipa-kdb: avoid ENOMEM when all SIDs are filtered out
ipa-kdb: reinitialize LDAP configuration for known realms
Add SID blacklist attributes
ipa-kdb: read SID blacklist from LDAP
ipa-sam: Fill SID blacklist when trust is added
ipa-adtrust-install should ask for SID generation
Test NetBIOS name clash before creating a trust
Generalize AD GC search
Do not hide SID resolver error in group-add-member
Add support for AD users to hbactest command
Fix hbachelp examples formatting
ipa-kdb: remove memory leaks
ipa-kdb: fix retry logic in ipadb_deref_search
Add autodiscovery section in ipa-client-install man pages
Avoid internal error when user is not Trust admin
Use fixed test domain in realmdomains test
Bump FreeIPA version for development branch
Remove ORDERING for IA5 attributeTypes
Fix includedir directive in krb5.conf template
Use new 389-ds-base cleartext password API
Do not hide idrange-add errors when adding trust
Preserve order of servers in ipa-client-install
Avoid multiple client discovery with fixed server list
Update named.conf parser
Use tkey-gssapi-keytab in named.conf
Do not force named connections on upgrades
ipa-client discovery with anonymous access off
Use temporary CCACHE in ipa-client-install
Improve client install LDAP cert retrieval fallback
Configure ipa_dns DS plugin on install and upgrade
Fix structured DNS record output
Bump selinux-policy requires
Clean spec file for Fedora 19
Remove build warnings
Remove syslog.target from ipa.server
Put pid-file to named.conf
Update mod_wsgi socket directory
Normalize RA agent certificate
Require 389-base-base 1.3.0.5
Change CNAME and DNAME attributes to single valued
Improve CNAME record validation
Improve DNAME record validation
Become 3.2.0 Prerelease 1
Petr Spacek (1):
Add 389 DS plugin for special idnsSOASerial attribute handling
Petr Viktorin (101):
Sort Options and Outputs in API.txt
Add the CA cert to LDAP after the CA install
Better logging for AdminTool and ipa-ldap-updater
Port ipa-replica-prepare to the admintool framework
Make ipapython.dogtag log requests at debug level, not info
Don’t add another nsDS5ReplicaId on updates if one already exists
Improve `ipa –help` output
Print help to stderr on error
Store the OptionParser in the API, use it to print unified help messages
Simplify `ipa help topics` output
Add command summary to `ipa COMMAND –help` output
Mention `ipa COMMAND –help` as the preferred way to get command help
Parse command arguments before creating a context
Add tests for the help command & –help options
In topic help text, mention how to get help for commands
Check SSH connection in ipa-replica-conncheck
Use ipauniqueid for the RDN of sudo commands
Prevent a sudo command from being deleted if it is a member of a sudo rule
Update sudocmd ACIs to use targetfilter
Add the version option to all Commands
Add ipalib.messages
Add client capabilities, enable messages
Rename the “messages” Output of the i18n_messages command to “texts”
Fix permission validation and normalization in aci.py
Remove csv_separator and csv_skipspace Param arguments
Drop support for CSV in the CLI client
Update argument docs to reflect dropped CSV support
Update plugin docstrings (topic help) to reflect dropped CSV support
cli: Do interactive prompting after a context is created
Remove some unused imports
Remove unused methods from Entry, Entity, and IPAdmin
Derive Entity class from Entry, and move it to ldapupdate
Use explicit loggers in ldap2 code
Move LDAPEntry to ipaserver.ipaldap and derive Entry from it
Remove connection-creating code from ShemaCache
Move the decision to force schema updates out of IPASimpleLDAPObject
Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap
Start LDAPConnection, a common base for ldap2 and IPAdmin
Make IPAdmin not inherit from IPASimpleLDAPObject
Move schema-related methods to LDAPConnection
Move DN handling methods to LDAPConnection
Move filter making methods to LDAPConnection
Move entry finding methods to LDAPConnection
Remove unused proxydn functionality from IPAdmin
Move entry add, update, remove, rename to LDAPConnection
Implement some of IPAdmin’s legacy methods in terms of LDAPConnection methods
Replace setValue by keyword arguments when creating entries
Use update_entry with a single entry in adtrustinstance
Replace entry.getValues() by entry.get()
Replace entry.setValue/setValues by item assignment
Replace add_s and delete_s by their newer equivalents
Change {add,update,delete}_entry to take LDAPEntries
Remove unused imports from ipaserver/install
Remove unused bindcert and bindkey arguments to IPAdmin
Turn the LDAPError handler into a context manager
Remove dbdir, binddn, bindpwd from IPAdmin
Remove IPAdmin.updateEntry calls from fix_replica_agreements
Remove IPAdmin.get_dns_sorted_by_length
Replace IPAdmin.checkTask by replication.wait_for_task
Introduce LDAPEntry.single_value for getting single-valued attributes
Remove special-casing for missing and single-valued attributes in LDAPUpdate._entry_to_entity
Replace entry.getValue by entry.single_value
Replace getList by a get_entries method
Remove toTupleList and attrList from LDAPEntry
Rename LDAPConnection to LDAPClient
Replace addEntry with add_entry
Replace deleteEntry with delete_entry
Fix typo and traceback suppression in replication.py
replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)
Inline inactivateEntry in its only caller
Inline waitForEntry in its only caller
Proxy LDAP methods explicitly rather than using __getattr__
Remove search_s and search_ext_s from IPAdmin
Replace IPAdmin.start_tls_s by an __init__ argument
Remove IPAdmin.sasl_interactive_bind_s
Remove IPAdmin.simple_bind_s
Remove IPAdmin.unbind_s(), keep unbind()
Use ldap instead of _ldap in ipaldap
Do not use global variables in migration.py
Use IPAdmin rather than raw python-ldap in migration.bind
Use IPAdmin rather than raw python-ldap in ipactl
Remove some uses of raw python-ldap
Improve LDAPEntry tests
Fix installing server with external CA
Change DNA magic value to -1 to make UID 999 usable
Move ipaldap to ipapython
Remove ipaserver/ipaldap.py
Use IPAdmin rather than raw python-ldap in ipa-client-install
Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
Remove unneeded python-ldap imports
Don’t download the schema in ipadiscovery
ipa-server-install: Make temporary pin files available for the whole installation
ipa-server-install: Remove the –selfsign option
Remove unused ipapython.certdb.CertDB class
ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper
Trust CAs from PKCS#12 files even if they don’t have Friendly Names
dsinstance, httpinstance: Don’t hardcode ‘Server-Cert’
Support installing with custom SSL certs, without a CA
Load the CA cert into server NSS databases
Do not call cert-* commands in host plugin if a RA is not available
ipa-client-install: Do not request host certificate if server is CA-less
Petr Vobornik (38):
Make confirm_dialog a base class of revoke and restore certificate dialogs
Make confirm_dialog a base class for deleter dialog
Make confirm_dialog a base class for message_dialog
Confirm mixin
Confirm adder dialog by enter
Confirm error dialog by enter
Focus last dialog when some is closed
Confirm association dialogs by enter
Standardize login password reset, user reset password and host set OTP dialogs
Focus first input element after ‘Add and Add another’
Enable mod_deflate
Use Uglify.js for JS optimization
Dojo Builder
Config files for builder of FreeIPA UI layer
Minimal Dojo layer
Web UI development environment directory structure and configuration
Web UI Sync development utility
Move of Web UI non AMD dep. libs to libs subdirectory
Move of core Web UI files to AMD directory
Update JavaScript Lint configuration file
AMD config file
Change Web UI sources to simple AMD modules
Updated makefiles to build FreeIPA Web UI layer
Change tests to use AMD loader
Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
Develop.js extended
Allow to specify modules for which builder doesn’t raise dependency error
Web UI build profile updated
Combobox keyboard support
Fix dirty state update of editable combobox
Fix handling of no_update flag in Web UI
Web UI: configurable SID blacklists
Web UI:Certificate pages
Web UI:Choose different search option for cert-find
Fixed Web UI build error caused by rhino changes in F19
Nestable checkbox/radio widget
Added Web UI support for service PAC type option: NONE
Web UI: Disable cert functionality if a CA is not available
Rob Crittenden (16):
Convert uniqueMember members into DN objects.
Add Ana Krivokapic to Contributors.txt
Do SSL CA verification and hostname validation.
Don’t initialize NSS if we don’t have to, clean up unused cert refs
Update anonymous access ACI to protect secret attributes.
Make certmonger a (pre) requires on server, restart it before upgrading
Use new certmonger locking to prevent NSS database corruption.
Improve migration performance
Add LDAP server fallback to client installer
Prevent a crash when no entries are successfully migrated.
Implement the cert-find command for the dogtag CA backend.
Add missing v3 schema on upgrades, fix typo in schema.
Don’t base64-encode the CA cert when uploading it during an upgrade.
Extend ipa-replica-manage to be able to manage DNA ranges.
Improve some error handling in ipa-replica-manage
Fix lockout of LDAP bind.
Simo Sorce (2):
Log info on failure to connect
Upload CA cert in the directory on install
Sumit Bose (17):
ipa-kdb: remove unused variable
ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()
ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()
ipa-kdb: Dereference after null check in ipa_kdb_mspac.c
ipa-lockout: Wrong sizeof argument in ipa_lockout.c
ipa-extdom: Double-free in ipa_extdom_common.c
ipa-pwd: Unchecked return value ipapwd_chpwop()
Revert “MS-PAC: Special case NFS services”
Add NFS specific default for authorization data type
ipa-kdb: Read global defaul ipaKrbAuthzData
ipa-kdb: Read ipaKrbAuthzData with other principal data
ipa-kdb: add PAC only if requested
Add unit test for get_authz_data_types()
Mention PAC issue with NFS in service plugin doc
Allow ‘nfs:NONE’ in global configuration
Add support for cmocka C-Unit Test framework
ipa-pwd-extop: do not use dn until it is really set
Timo Aaltonen (1):
convert the base platform modules into packages
Tomas Babej (18):
Relax restriction for leading/trailing whitespaces in *-find commands
Forbid overlapping rid ranges for the same id range
Fix a typo in ipa-adtrust-install help
Prevent integer overflow when setting krbPasswordExpiration
Add option to specify SID using domain name to idrange-add/mod
Prevent changing protected group’s name using –setattr
Use default.conf as flag of IPA client being installed
Make sure appropriate exit status is returned in make-test
Make options checks in idrange-add/mod consistent
Add trusted domain range objectclass when using idrange-mod
Perform secondary rid range overlap check for local ranges only
Add support for re-enrolling hosts using keytab
Make sure uninstall script prompts for reboot as last
Remove implicit Str to DN conversion using *-attr
Enforce exact SID match when adding or modifying a ID range
Allow host re-enrollment using delegation
Add logging to join command
Properly handle ipa-replica-install when its zone is not managed by IPA
sbose (1):
ipa-kdb: Free talloc autofree context when module is closed