The FreeIPA team would like to announce FreeIPA v4.1.3 bug fix release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository.

Highlights in 4.1.3#

Enhancements#

  • ID Views support user SSH public keys

  • ID Views support IPA user overrides

  • OTP token authentication and synchronization windows are configurable

  • RADIUS server proxy fields added to user page in Web UI

Bug fixes#

  • Issues fixed in ipa-restore:

    • doesn’t crash if replica is unreachable

    • checks if it isn’t a restore on non matching host

    • improved validation of input options to disallow invalid combinations

    • doesn’t fail if run on a system without IPA installed

    • creates correct log directories

  • certificate renewal process is synchronized

  • migrate-ds: warns user if compat plugin is enabled

  • PassSync plugin could not update synchronized users due to too strict access control

  • replication agreements by Replication Administrators could not be removed due to strict access control

  • anonymous read of a DUA profile was not possible due to strict access control

  • various upgrade fixes related to DNSSEC

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.1.2#

Alexander Bokovoy (4)#

  • Support Samba PASSDB 0.2.0 aka interface version 24

  • ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly

  • ipa-kdb: when processing transitions, hand over unknown ones to KDC

  • ipa-kdb: reject principals from disabled domains as a KDC policy

David Kupka (5)#

  • Use singular in help metavars + update man pages.

  • Always add /etc/hosts record when DNS is being configured.

  • Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.

  • Abort backup restoration on not matching host.

  • idviews: Allow setting ssh public key on ipauseroverride-add

Gabe Alford (3)#

  • Remove dependency on subscription-manager

  • Typos in ipa-rmkeytab options help and man page

  • permission-add does not prompt for ipapermright in interactive mode

Jan Cholasta (18)#

  • Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent

  • Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent

  • Improve validation of –instance and –backend options in ipa-restore

  • Check subject name encoding in ipa-cacert-manage renew

  • Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage

  • Fix ipa-restore on systems without IPA installed

  • Remove RUV from LDIF files before using them in ipa-restore

  • Fix CA certificate renewal syslog alert

  • Do not crash on unknown services in installutils.stopped_service

  • Restart dogtag when its server certificate is renewed

  • Make certificate renewal process synchronized

  • Fix validation of ipa-restore options

  • Do not assume certmonger is running in httpinstance

  • Put LDIF files to their original location in ipa-restore

  • Revert “Make all ipatokenTOTP attributes mandatory”

  • Create correct log directories during full restore in ipa-restore

  • Do not crash when replica is unreachable in ipa-restore

  • Bump 389-ds-base and pki-ca dependencies for POODLE fixes

Jan Pazdziora (1)#

  • No explicit zone specification.

Martin Babinsky (11)#

  • Moved dbus-python dependence to freeipa-python package

  • ipa-kdb: unexpected error code in ‘ipa_kdb_audit_as_req’ triggers a message

  • always get PAC for client principal if AS_REQ is true

  • ipa-kdb: more robust handling of principal addition/editing

  • OTP: failed search for the user of last token emits an error message

  • ipa-pwd-extop: added an informational comment about intentional fallthrough

  • ipa-uuid: emit a message when unexpected mod type is encountered

  • OTP: emit a log message when LDAP entry for config record is not found

  • ipa-client-install: put eol character after the last line of altered config file(s)

  • migrate-ds: exit with error message if no users/groups to migrate are found

  • Changing the token owner changes also the manager

Martin Bašti (19)#

  • Fix zonemgr option encoding detection

  • Throw zonemgr error message before installation proceeds

  • Upgrade fix: masking named should be executed only once

  • Using wget to get status of CA

  • Show SSHFP record containing space in fingerprint

  • Fix don’t check certificate during getting CA status

  • Fix: Upgrade forwardzones zones after adding newer replica

  • Fix zone find during forwardzone upgrade

  • Fix traceback if zonemgr error contains unicode

  • DNS tests: separate current forward zone tests

  • New test cases for Forward_zones

  • Detect and warn about invalid DNS forward zone configuration

  • DNS tests: warning if forward zone is inactive

  • Add debug messages into client autodetection

  • DNSSEC catch ldap exceptions in ipa-dnskeysyncd

  • DNSSEC: fix root zone dns name conversion

  • Always return absolute idnsname in dnszone commands

  • Use dyndns_update instead of deprecated sssd option

  • Fix reference counting in pkcs11 extension

Martin Košek (7)#

  • Bump SSSD Requires to 1.12.3

  • Allow PassSync user to locate and update NT users

  • Allow Replication Administrators manipulate Winsync Agreements

  • Replication Administrators cannot remove replication agreements

  • Add anonymous read ACI for DUA profile

  • Print PublicError traceback when in debug mode

  • group-detach does not add correct objectclasses

Nathaniel McCallum (7)#

  • Catch USBError during YubiKey location

  • Preliminary refactoring of libotp files

  • Move authentication configuration cache into libotp

  • Enable last token deletion when password auth type is configured

  • Make token auth and sync windows configurable

  • Create an OTP help topic

  • Prefer TCP connections to UDP in krb5 clients

Petr Voborník (10)#

  • webui: add radius fields to user page

  • fix indentation in ipa-restore page

  • add –hosts and –hostgroup options to allow/retrieve keytab methods

  • webui: fix service unprovisioning

  • webui: increase duration of notification messages

  • revert removal of cn attribute from idnsRecord

  • migrate-ds: fix compat plugin check

  • rpcclient: use json_encode_binary for verbose output

  • Fix TOTP Synchronization Window label

  • Become IPA 4.1.3

Simo Sorce (3)#

  • Avoid calling ldap functions without a context

  • Remove the removal of the ccache

  • Handle DAL ABI change in MIT 1.13

Tomáš Babej (9)#

  • Re-initialize NSS database after otptoken plugin tests

  • certs: Fix incorrect flag handling in load_cacert

  • hosts: Display assigned ID view by default in host-find and show commands

  • idviews: Complain if host is already assigned the ID View in idview-apply

  • idviews: Ignore host or hostgroup options set to None

  • baseldap: Handle missing parent objects properly in *-find commands

  • ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView

  • ipatests: Fix old command references in the ID views tests

  • ipatests: Fix incorrect assumptions in idviews tests