Ctrl+K

Highlights in 4.2.1

The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.

Highlights in 4.2.1#

Enhancements#

  • Added support for multiple IP addresses during client installation

Bug fixes#

  • Various fixes for new Vault feature

  • Various fixes for new Certificates Profiles feature

  • Fixed ACI issue in search for hbac rules, sudo rules, users and other IPA objects by non-admin users

  • Backup and restore fixes, mostly related to DNSSEC

  • ipa-client-install is able to request a certificate in kickstart environment

  • Fixed server upgrade failure in “Enabling KDC proxy” step

  • Added option to establish bidirectional trust in Web UI

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.2.0#

Alexander Bokovoy (5)#

  • selinux: enable httpd_run_ipa to allow communicating with oddjobd services

  • oddjob: avoid chown keytab to sssd if sssd user does not exist

  • Fix selector of protocol for LSA RPC binding string

  • trusts: harden trust-fetch-domains oddjobd-based script

  • trusts: format Kerberos principal properly when fetching trust topology

Christian Heimes (10)#

  • Start dirsrv for kdcproxy upgrade

  • Fix selinux denial during kdcproxy user creation

  • certprofile-import: improve profile format documentation

  • otptoken: use ipapython.nsslib instead of Python’s ssl module

  • Require Dogtag PKI >= 10.2.6

  • Validate vault’s file parameters

  • certprofile-import: do not require profileId in profile data

  • Asymmetric vault: validate public key in client

  • Add flag to list all service and user vaults

  • Change internal rsa_(public|private)_key variable names

David Kupka (9)#

  • migration: Use api.env variables.

  • cermonger: Use private unix socket when DBus SystemBus is not available.

  • ipa-client-install: Do not (re)start certmonger and DBus daemons.

  • user-undel: Fix error messages.

  • client: Add support for multiple IP addresses during installation.

  • client: Add description of –ip-address and –all-ip-addresses to man page

  • Backup/resore authentication control configuration

  • vault: Limit size of data stored in vault

  • ipactl: Do not start/stop/restart single service multiple times

Endi Sukma Dewata (6)#

  • Fixed missing KRA agent cert on replica.

  • Added CLI param and ACL for vault service operations.

  • Fixed vault container ownership.

  • Added support for changing vault encryption.

  • Removed clear text passwords from KRA install log.

  • Using LDAPI to setup CA and KRA agents.

Fraser Tweedale (14)#

  • user-show: add –out option to save certificates to file

  • Fix otptoken-remove-managedby command summary

  • Give more info on virtual command access denial

  • Allow SAN extension for cert-request self-service

  • Add profile for DNP3 / IEC 62351-8 certificates

  • Work around python-nss bug on unrecognised OIDs

  • Fix default CA ACL added during upgrade

  • Fix KRB5PrincipalName / UPN SAN comparison

  • certprofile: add profile format explanation

  • Add permission for bypassing CA ACL enforcement

  • Prohibit deletion of predefined profiles

  • cert-request: remove allowed extensions check

  • certprofile: prevent rename (modrdn)

  • certprofile: remove ‘rename’ option

Jan Cholasta (14)#

  • spec file: Move /etc/ipa/kdcproxy to the server subpackage

  • spec file: Update minimum required version of krb5

  • install: Fix server and replica install options

  • ULC: Prevent preserved users from being assigned membership

  • spec file: Fix install with the server-dns subpackage

  • baseldap: Allow overriding member param label in LDAPModMember

  • vault: Fix param labels in output of vault owner commands

  • install: Fix replica install with custom certificates

  • vault: Fix vault-find with criteria

  • vault: Add container information to vault command results

  • spec file: Add Requires(post) on selinux-policy

  • cert renewal: Include KRA users in Dogtag LDAP update

  • cert renewal: Automatically update KRA agent PEM file

  • ldap: Make ldap2 connection management thread-safe again

Lenka Doudova (2)#

  • Automated test for stageuser plugin

  • Fix user tracker to reflect new user-del message

Martin Babinsky (12)#

  • ipa-ca-install: print more specific errors when CA is already installed

  • enable debugging of ntpd during client installation

  • fix broken search for users by their manager

  • ACI plugin: correctly parse bind rules enclosed in parentheses

  • test suite for user/host/service certificate management API commands

  • store certificates issued for user entries as userCertificate;binary

  • idranges: raise an error when local IPA ID range is being modified

  • fix typo in BasePathNamespace member pointing to ods exporter config

  • ipa-backup: archive DNSSEC zone file and kasp.db

  • ipa-restore: check whether DS is running before attempting connection

  • improve the handling of krb5-related errors in dnssec daemons

  • improve the usability of `ipa user-del –preserve` command

Martin Bašti (23)#

  • Prevent to rename certprofile profile id

  • Stageusedr-activate: show username instead of DN

  • copy-schema-to-ca: allow to overwrite schema files

  • fix selinuxusermap search for non-admin users

  • Validate adding privilege to a permission

  • sysrestore: copy files instead of moving them to avoind SELinux issues

  • Allow value ‘no’ for replica-certify-all attr in abort-clean-ruv subcommand

  • Py3: replace tab with space

  • DNS: Consolidate DNS RR types in API and schema

  • DNS: check if DNS package is installed

  • Remove ico files from Makefile

  • Use ‘mv -Z’ in specfile to restore SELinux context

  • ULC: Fix stageused-add –from-delete command

  • Fix upgrade of sidgen and extdom plugins

  • Add dependency to SSSD 1.13.1

  • Server Upgrade: Start DS before CA is started.

  • Add user-stage command

  • DNSSEC: fix forward zone forwarders checks

  • DNSSEC: remove “DNSSEC is experimental” warnings

  • Backup: back up the hosts file

  • Installer: do not modify /etc/hosts before user agreement

  • DNSSEC: backup and restore opendnssec zone list file

  • DNSSEC: remove ccache and keytab of ipa-ods-exporter

Milan Kubík (4)#

  • ipalib: pass api instance into textui in doctest snippets

  • spec file: update the python package names for libipa_hbac and libsss_nss_idmap

  • tests: Allow Tracker.dn be an instance of Fuzzy

  • ipatests: Take otptoken import test out of execution

Oleg Fayans (2)#

  • Added a user-friendly output to an import error

  • Temporary fix for ticket 5240

Petr Voborník (17)#

  • Become IPA 4.2.0

  • do not import memcache on client

  • webui: fix user reset password dialog

  • fix hbac rule search for non-admin users

  • webui: add Kerberos configuration instructions for Chrome

  • webui: fix regressions failed auth messages

  • webui: add LDAP vs Kerberos behavior description to user auth types

  • adjust search so that it works for non-admin users

  • validate mutually exclusive options in vault-add

  • add permission: System: Manage User Certificates

  • vault: normalize service principal in service vault operations

  • vault: validate vault type

  • vault: change default vault type to symmetric

  • fix missing information in object metadata

  • webui: add option to establish bidirectional trust

  • vault: fix vault tests after default type change

  • Become IPA 4.2.1

Petr Špaček (6)#

  • Create server-dns sub-package.

  • DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart

  • DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction

  • DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master

  • DNSSEC: Fix key metadata export

  • DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.

Rob Crittenden (1)#

  • Use %license instead of %doc for packaging the license

Simo Sorce (1)#

  • Fix DNS records installation for replicas

Stanislav Laznicka (1)#

  • ipa-client-install: warn when IP used in –server

Tomáš Babej (24)#

  • ipalib: Fix missing format for InvalidDomainLevelError

  • trusts: Check for AD root domain among our trusted domains

  • ipaplatform: Add constants submodule

  • tests: user_plugin: Add preserved flag when –all is used

  • dcerpc: Expand explanation for WERR_ACCESS_DENIED

  • idviews: Check for the Default Trust View only if applying the view

  • tests: service_plugin: Make sure the cert is decoded from base64

  • tests: realmdomains_plugin: Add explanatory comment

  • tests: Version is currently generated during command call

  • tests: vault_plugin: Skip tests if KRA not available

  • tests: test_rpc: Create connection for the current thread

  • tests: test_cert: Services can have multiple certificates

  • dcerpc: Fix UnboundLocalError for ccache_name

  • dcerpc: Add get_trusted_domain_object_type method

  • idviews: Restrict anchor to name and name to anchor conversions

  • idviews: Enforce objectclass check in idoverride*-del

  • replication: Fix incorrect exception invocation

  • Fix incorrect type comparison in trust-fetch-domains

  • dcerpc: Simplify generation of LSA-RPC binding strings

  • adtrust-install: Correctly determine 4.2 FreeIPA servers

  • trusts: Detect domain clash with IPA domain when adding a AD trust

  • trusts: Detect missing Samba instance

  • winsync-migrate: Add warning about passsync

  • winsync-migrate: Expand the man page

Yuri Chornoivan (1)#

  • Fix minor typos

Contents