The FreeIPA team is proud to announce FreeIPA v3.2.2.

It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 and is on its way to updates-testing.

Important: please see section Upgrading before upgrading the packages, a manual procedure is needed for FreeIPA servers with CA originally installed with FreeIPA version prior to 3.1.

Highlights in 3.2.2#

New features for 3.2.2#

  • Significant improvement of performance with large number of users or groups. Several LDAP server indexes were added for this purpose.

  • freeipa-server-selinux package with custom FreeIPA SELinux policy is dropped, all policy is now contained in system policy package

Bug fixes#

  • Removes systemd-related deadlock when a server with running FreeIPA services is restarted

  • Fixes ownership issues in CRL publishing directory (/var/lib/ipa/pki-ca/publish/)

  • ipa-replica-prepare and ipa-replica-install now do not crash on system with gnupg2 package only (without older gnupg package)

  • CRL file can now be retrieved via plain http protocol without redirection to https, as defined in certificates published by FreeIPA

  • Entitlement plugin is removed from FreeIPA codebase as it was neither supported nor tested

  • Many bugfixes related to CA-less installation

  • … and many others stabilization fixes, see Detailed changelog for full details

Upgrading#

FreeIPA servers with CA installed prior to version 3.1#

Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1.

Other FreeIPA servers and clients#

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note, that the performance improvements requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 3.2.1#

Ana Krivokapic (8):#

  • Fix displaying of success message

  • Improve handling of options in ipa-client-install

  • Do not display traceback to user

  • Fix bug in adtrustinstance

  • Use correct DS instance in ipactl status

  • Avoid systemd service deadlock during shutdown

  • Make sure replication works after DM password is changed

  • Use –ignore-dependencies only when necessary

Jan Cholasta (16):#

  • Use the correct PKCS#12 file for HTTP server.

  • Remove stray error condition in ipa-server-install.

  • Handle exceptions gracefully when verifying PKCS#12 files.

  • Skip empty lines when parsing pk12util output.

  • Do not allow installing CA replicas in CA-less setup.

  • Do not track DS certificate in CA-less setup.

  • Fix CA-less check in ipa-replica-install and ipa-ca-install.

  • Do not skip SSSD known hosts in ipa-client-install –ssh-trust-dns.

  • Skip cert issuer validation in service and host commands in CA-less install.

  • Check trust chain length in CA-less install.

  • Use LDAP search instead of *group_show to check if a group exists.

  • Use LDAP search instead of *group_show to check for a group objectclass.

  • Use LDAP modify operation directly to add/remove group members.

  • Add missing substring indices for attributes managed by the referint plugin.

  • Add missing equality index for ipaUniqueId.

  • Run gpg-agent explicitly when encrypting/decrypting files.

Lukas Slebodnik (1):#

  • Use pkg-config to detect cmocka

Martin Kosek (7):#

  • Remove entitlement support

  • Enable SASL mapping fallback.

  • Drop SELinux subpackage

  • Drop redundant directory /var/cache/ipa/sessions

  • Run server upgrade and restart in posttrans

  • Require new selinux-policy replacing old server-selinux subpackage

  • Become 3.2.2

Nathaniel McCallum (3):#

  • Fix client install exception if /etc/ssh is missing

  • Permit reads to ipatokenRadiusProxyUser objects

  • Fix for small syntax error in OTP schema

Petr Vobornik (5):#

  • Regression fix: rule table with ext. member support doesn’t offer any items

  • Fix default value selection in radio widget

  • Do not redirect to https in /ipa/ui on non-HTML files

  • Create Firefox configuration extension on CA-less install

  • Disable checkboxes and radios for readonly attributes

Rob Crittenden (1):#

  • Return the correct Content-type on negotiated XML-RPC requests.

Sumit Bose (1):#

  • Fix type of printf argument

Tomas Babej (2):#

  • Do not redirect ipa/crl to HTTPS

  • Change group ownership of CRL publish directory