The FreeIPA team is proud to announce FreeIPA v4.1.0 Alpha 1!

It can be downloaded from http://www.freeipa.org/page/Downloads. Given that this is only a a development preview of the 4.1 release, it is not built for Fedora, but only in FreeIPA 4.1 Copr repository.

Highlights in 4.1 Alpha1#

Enhancements#

  • New concept of ID Views allowing FreeIPA administrator to define or override POSIX attributes for users/groups coming from trusted domains. Such users then do not need to have POSIX attributes defined in the Active Directory to authenticate to FreeIPA clients. It also allows to assign particular view to selected hosts or hostgroups, thus allowing having a user / group with different POSIX attributes on different hosts. Per-host overrides should be used with extreme care! (design page)

  • New tool ipa-cacert-manage to manually renew or change FreeIPA PKI CA certificate (design page)

  • OTP authentication plugin now prevents multiple usage of token codes on single server

  • DNS interface now supports adding DNS root zone (“.”) allowing admin to for example centrally override DNS root hints.

  • DNS zone adding interface was simplified - name server and it’s IP address is no longer required. The list of authoritative name servers are read from LDAP

  • Services can now be assigned as members of RBAC roles

  • ipa command run with -vv option now prints JSON request and reply exchanged with the FreeIPA server. -vvv also prints HTTP communication.

  • Description attribute is no longer required (e.g. in groups, sudo command groups or others) given that it is also not required in schema.

Bug fixes#

  • Server installers can now handle hosts with multiple IPv4 or IPv6 addresses

  • DNS zone interface no longer accepts --class option as it had no effect as FreeIPA DNS only supports IN class.

  • ipa-ldap-upgrade restores Directory Server settings when upgrade fails

Upgrading#

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

# ipa-ldap-updater --upgrade
# ipa-upgradeconfig

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.0#

Alexander Bokovoy (5)#

  • ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC

  • ipaserver/dcerpc.py: make PDC discovery more robust

  • ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012

  • ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust

  • ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

Ana Krivokapić (1)#

  • Remove internaldb password from password.conf

David Kupka (14)#

  • Fix ipa-client-install –uninstall crash

  • Always record that pkicreate has been executed.

  • Improve password validity check.

  • Fix group-remove-member crash when group is removed from a protected group

  • test group: remove group from protected group.

  • Verify otptoken timespan is valid

  • Add record(s) to /etc/host when IPA is configured as DNS server.

  • Use certmonger D-Bus API instead of messing with its files.

  • Do not restart apache server when not necessary.

  • Allow user to force Kerberos realm during installation.

  • Fix typo causing ipa-upgradeconfig to fail.

  • Add ‘host’ setting into default.conf configuration file on client. Fix description in man page.

  • Detect and configure all usable IP addresses.

  • Do not require description in UI.

Gabe (4)#

  • Fix typos in dns.py

  • Enable debug pid in smb.conf

  • ipa trust-add command should be interactive

  • Fix hardcoded lib dir in freeipa.spec

Jakub Hrozek (1)#

  • CLIENT: Explicitly require python-backports-ssl_match_hostname

Jan Cholasta (87)#

  • Check if /root/ipa.csr exists when installing server with external CA.

  • Exclude attributelevelrights from –raw result processing in baseldap.

  • Add function for checking if certificate is self-signed to ipalib.x509.

  • Support CA certificate renewal in dogtag-ipa-ca-renew-agent.

  • Allow IPA master hosts to update CA certificate in LDAP.

  • Automatically update CA certificate in LDAP on renewal.

  • Track CA certificate using dogtag-ipa-ca-renew-agent.

  • Add method for setting CA renewal master in LDAP to CAInstance.

  • Provide additional functions to ipapython.certmonger.

  • Move external cert validation from ipa-server-install to installutils.

  • Add method for verifying CA certificates to NSSDatabase.

  • Add permissions for CA certificate renewal.

  • Add CA certificate management tool ipa-cacert-manage.

  • Alert user when externally signed CA is about to expire.

  • Load sysupgrade.state on demand.

  • Pick new CA renewal master when deleting a replica.

  • Remove master ACIs when deleting a replica.

  • Do not use ldapi in certificate renewal scripts.

  • Check that renewed certificates coming from LDAP are actually renewed.

  • Allow IPA master hosts to read and update IPA master information.

  • Do not treat the IPA RA cert as CA cert in DS NSS database.

  • Remove certificate “External CA cert” from /etc/pki/nssdb on client uninstall.

  • Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.

  • Fix trust flags in HTTP and DS NSS databases.

  • Add LDAP schema for wrapped cryptographic keys.

  • Add LDAP schema for certificate store.

  • Add container for certificate store.

  • Configure attribute uniqueness for certificate store.

  • Add permissions for certificate store.

  • Add functions for extracting certificates fields in DER to ipalib.x509.

  • Add function for extracting extended key usage from certs to ipalib.x509.

  • Add certificate store module ipalib.certstore.

  • Upload CA chain from DS NSS database to certificate store on server install.

  • Upload CA chain from DS NSS database to certificate store on server update.

  • Rename CertDB method add_cert to import_cert.

  • Add new add_cert method for adding certificates to NSSDatabase and CertDB.

  • Import CA certs from certificate store to DS NSS database on replica install.

  • Import CA certs from certificate store to HTTP NSS database on server install.

  • Upload renewed CA cert to certificate store on renewal.

  • Refactor CA certificate fetching code in ipa-client-install.

  • Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install.

  • Add function for writing list of certificates to a PEM file to ipalib.x509.

  • Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install.

  • Allow overriding NSS database path in RPCClient.

  • Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install.

  • Add functions for DER encoding certificate extensions to ipalib.x509.

  • Get CA certs for system-wide store from cert store in ipa-client-install.

  • Get up-to-date CA certificates from certificate store in ipa-replica-install.

  • Add client certificate update tool ipa-certupdate.

  • Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.

  • Allow multiple CA certificates in replica info files.

  • Add new NSSDatabase method get_cert for getting certs from NSS databases.

  • Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.

  • Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.

  • Allow adding CA certificates to certificate store in ipa-cacert-manage.

  • Allow upgrading CA-less to CA-full using ipa-ca-install.

  • Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.

  • Enable NSS PKIX certificate path discovery and validation for Dogtag.

  • Add test for baseldap.entry_to_dict.

  • Fix parsing of long nicknames in certutil -L output.

  • Convert external CA chain to PKCS#7 before passing it to pkispawn.

  • Allow changing CA renewal master in ipa-csreplica-manage.

  • Normalize external CA cert before passing it to pkispawn

  • Make CA-less ipa-server-install option –root-ca-file optional.

  • Backup CS.cfg before modifying it

  • Use autobind when updating CA people entries during certificate renewal

  • Fix certmonger code causing the ca_renewal_master update plugin to fail

  • Allow RPM upgrade from ipa-* packages

  • Include ipaplatform in client-only build

  • Include the ipa command in client-only build

  • Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.

  • Add NSSDatabase.import_files method for importing files in various formats

  • External CA installer options usability fixes

  • CA-less installer options usability fixes

  • Allow choosing CA-less server certificates by name

  • Do stricter validation of CA certificates

  • Introduce NSS database /etc/ipa/nssdb

  • Move NSSDatabase from ipaserver.certs to ipapython.certdb

  • Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB

  • Use NSSDatabase instead of direct certutil calls in client code

  • Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb

  • Check if IPA client is configured in ipa-certupdate

  • Get server hostname from jsonrpc_uri in ipa-certupdate

  • Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update

  • Fix certmonger.wait_for_request

  • Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage

  • Add missing imports to ipapython.certdb

Ludwig Krispenz (1)#

  • Update SSL ciphers configured in 389-ds-base

Lukáš Slebodník (2)#

  • Fix warning: Using uninitialized value ld.

  • Add missing break

Martin Bašti (26)#

  • Fix DNS upgrade plugin should check if DNS container exists

  • FIX: named_enable_dnssec should verify if DNS is installed

  • Allow to add host if AAAA record exists

  • Tests: host tests with dns

  • Fix dnsrecord-mod raise error if last record attr is removed

  • DNSSEC: fix DS record validation

  • Tests: DNS dsrecord validation

  • DNS fix NS record coexistence validator

  • Test: DNS NS validation

  • Fix DNS record rename test

  • FIX DNS wildcard records (RFC4592)

  • Tests: DNS wildcard records

  • dnszone-remove-permission should raise error

  • DNS: remove –class option

  • WebUI: DNS: remove –class option

  • FIX: ldap schmema updater needs correct ordering of the updates

  • Fix DNS plugin to allow to add root zone

  • DNS test: allow ‘.’ as zone name

  • Deprecation of –name-server and –ip-address option in DNS

  • Add correct NS records during installation

  • DNS: autofill admin email

  • WebUI: DNS: Remove ip-address, admin-email options

  • DNS tests: tests update to due to change in options

  • Remove –ip-address, –name-server otpions from DNS help

  • Refactoring of autobind, object_exists

  • LDAP disable service

Martin Košek (4)#

  • Do not require dogtag-pki-server-theme

  • Allow hashed passwords in DS

  • Do not crash client basedn discovery when SSF not met

  • ipa-adtrust-install does not re-add member in adtrust agents group

Nathaniel McCallum (7)#

  • Fix login password expiration detection with OTP

  • Update freeipa-server krb5-server dependency to 1.11.5-5

  • Fix ipa-getkeytab for pre-4.0 servers

  • Add TOTP watermark support

  • Ensure ipaUserAuthTypeClass when needed on user creation

  • Update qrcode support for newer python-qrcode

  • Use stack allocation when writing values during otp auth

Petr Viktorin (30)#

  • baseldap: Return empty string when no effective rights are found

  • ldap2 indirect membership processing: Use global limits if greater than per-query ones

  • test_xmlrpc: Update tests

  • Update API.txt

  • test_ipagetkeytab: Fix assertion in negative test

  • Support delegating RBAC roles to service principals

  • service: Normalize service principal in get_dn

  • freeipa.spec.in: Add python-backports-ssl_match_hostname to BuildRequires

  • permission plugin: Make –target available in the CLI

  • permission plugin: Improve description of the target option

  • Add managed read permissions for compat tree

  • Fix: Add managed read permissions for compat tree and operational attrs

  • Update referential integrity config for DS 1.3.3

  • permission plugin: Auto-add operational atttributes to read permissions

  • Allow deleting obsolete permissions; remove operational attribute permissions

  • ipaserver.install: Consolidate system user creation

  • ipa_restore: Split the services list

  • backup,restore: Don’t overwrite /etc/{passwd,group}

  • ipa_backup: Log where the backup is be stored

  • Add basic test for backup & restore

  • Add test for backup/delete system users/restore

  • JSON client: Log pretty-printed request and response with -vv or above

  • test_permission_plugin: Check legacy permissions

  • upgradeinstance: Restore listeners on failure

  • ipa-replica-prepare: Wait for the DNS entry to be resolvable

  • Move setting SELinux booleans to platform code

  • ipa-restore: Set SELinux booleans when restoring

  • ipaserver.install.service: Don’t show error message on SystemExit(0)

  • VERSION,Makefile: Rename “pre” to “alpha”

  • Become IPA 4.1.0 Alpha 1

Petr Voborník (64)#

  • webui: capitalize labels of undo and undo all buttons

  • webui: improve usability of attributes widget

  • webui: add filter to attributes widget

  • webui: optimize (re)creation of option widget

  • webui: custom attr in attributes widget

  • webui: attr widget: get list of possible attrs from ipapermdefaultattr

  • webui: option_widget_base: sort options

  • webui: reflect readonly state

  • webui: fix add of input group class

  • webui: show managed fields as readonly and not disabled

  • webui: fix selection of empty value in a select widget

  • webui: disable ipapermbindruletype if permission in a privilege

  • webui: fix disabled state of service’s PAC type

  • baseldap: return ‘none’ attr level right as unicode string

  • webui: support wildcard attribute level rights

  • webui: fix nested items creation in dropdown list

  • webui: internet explorer fixes

  • webui: detach facet nodes

  • webui: replace action_buttons with action_widget

  • webui: remove remaining action-button-disabled occurrences

  • webui: add bounce url to reset_password.html

  • webui-ci: fix reset password check

  • webui: better error reporting

  • webui-ci: fix table widget add

  • webui: display expired session notification in a more visible area

  • webui: improved info msgs on login/token sync/reset pwd pages

  • webui: login screen - improved button switching

  • webui: rename tooltip to title

  • webui: tooltip support

  • webui: better authentication types description

  • webui: convert widget.less indentation to spaces

  • webui: improve rule table css

  • webui: sshkey widget - usability fixes

  • webui: disable batch action buttons by default

  • webui: fix group type padding

  • webui: extract complex pkey on Add and Edit

  • webui: adjust behavior of bounce url

  • webui: do not show login error when switching back from otp sync screen

  • webui: switch associators if default doesn’t work

  • webui: notify psw change success only once

  • webui: append network.negotiate-auth.trusted-uris

  • install: create ff krb extension on every install, replica install and upgrade

  • webui: add measurement unit to otp token time fields

  • webui: better otp token type label

  • webui: add token from user page

  • webui: add i18n for the rest of QR code strings

  • webui: display fields based on otp token type

  • webui: better value-change reporting

  • webui: widget initialization

  • webui: hide empty fields and sections

  • webui: hide non-readable fields

  • webui: hide otp fields based on token type

  • webui: fix regression in association facet preop

  • webui-ci: case-insensitive record check

  • webui: do not offer ipa-ad-winsync and ipa-ipa-trust range types

  • webui: improve breadcrumb navigation

  • webui: treat value as pkey in link widget

  • webui: do not show internal facet name to user

  • webui: allow to skip link widget link validation

  • webui: add simple link column support

  • webui: new ID views section

  • webui: facet group labels for idview’s facets

  • webui: list only not-applied hosts in “apply to host” dialog

  • webui: add link from host to idview

Rob Crittenden (1)#

  • No longer generate a machine certificate on client installs

Stephen Gallagher (1)#

  • Change BuildRequires for Java

Sumit Bose (2)#

  • ipa-kdb: fix unit tests

  • extdom: add support for new version

Tomáš Babej (43)#

  • trusts: Validate missing trust secret properly

  • ipatests: tasks: Fix dns configuration for trusts

  • trusts: Make cn=adtrust agents sysaccount nestedgroup

  • baseldap: Remove redundant search from LDAPAddReverseMember and LDAPRemoveReverseMember

  • ipalib: idrange: Make non-implemented range types fail the validation

  • ipatests: test_trust: Add test to cover lookup of trusdomains

  • ipa-client-install: Do not add already configured sources to nsswitch.conf entries

  • ipalib: host_del: Extend LDAPDelete’s takes_options instead of overriding

  • Set the default attributes for RootDSE

  • baseldap: Properly handle the case of renaming object to the same name

  • idviews: Add necessary schema for the ID views

  • idviews: Create container for ID views under cn=accounts

  • idviews: Add ipaAssignedIDVIew reference to the host object

  • ipalib: Remove redundant and star imports from host plugin

  • ipalib: PEP8 fixes for host plugin

  • idviews: Create basic idview plugin structure

  • idvies: Add managed permissions for idview and idoverride objects

  • hostgroup: Add helper that returns all members of a hostgroup

  • hostgroup: Remove redundant and star imports

  • hostgroup: Selected PEP8 fixes for the hostgroup plugin

  • idviews: Add ipa idview-apply and idview-unapply commands

  • idviews: Extend idview-show command to display assigned idoverrides and hosts

  • trusts: Add conversion from SID to object name

  • idviews: Support specifying object names instead of raw anchors only

  • idviews: Split the idoverride object into iduseroverride and idgroupoverride

  • idviews: Split the idoverride commands into iduseroverride and idgroupoverride

  • idviews: Alter idoverride methods to work with splitted objects

  • idviews: Change format of IPA anchor to include domain

  • idviews: Raise NotFound errors if object to override could not be found

  • idviews: Resolve anchors to object names in idview-show

  • ipatests: Add xmlrpc tests for idviews plugin

  • idviews: Add ipaOriginalUid

  • idviews: Update the referential plugin config to watch for ipaAssignedIDView

  • idviews: Fix casing of ID Views to be consistent

  • idviews: Make description optional for the ID View object

  • idviews: Add Default Trust View as part of adtrustinstall

  • idviews: Handle Default Trust View properly in the framework

  • idviews: Make sure the dict.get method is not abused for MUST attributes

  • idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor

  • idviews: Display the list of hosts when using –all

  • idviews: Make sure only regular IPA objects are allowed to be overriden

  • idviews: Create Default Trust View for upgraded servers

  • idviews: Fix typo in upgrade handling of the Default Trust View