The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.
Highlights in 4.2.1#
Enhancements#
Added support for multiple IP addresses during client installation
Bug fixes#
Various fixes for new Vault feature
Various fixes for new Certificates Profiles feature
Fixed ACI issue in search for hbac rules, sudo rules, users and other IPA objects by non-admin users
Backup and restore fixes, mostly related to DNSSEC
ipa-client-install is able to request a certificate in kickstart environment
Fixed server upgrade failure in “Enabling KDC proxy” step
Added option to establish bidirectional trust in Web UI
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.2.0#
Alexander Bokovoy (5)#
selinux: enable httpd_run_ipa to allow communicating with oddjobd services
oddjob: avoid chown keytab to sssd if sssd user does not exist
Fix selector of protocol for LSA RPC binding string
trusts: harden trust-fetch-domains oddjobd-based script
trusts: format Kerberos principal properly when fetching trust topology
Christian Heimes (10)#
Start dirsrv for kdcproxy upgrade
Fix selinux denial during kdcproxy user creation
certprofile-import: improve profile format documentation
otptoken: use ipapython.nsslib instead of Python’s ssl module
Require Dogtag PKI >= 10.2.6
Validate vault’s file parameters
certprofile-import: do not require profileId in profile data
Asymmetric vault: validate public key in client
Add flag to list all service and user vaults
Change internal rsa_(public|private)_key variable names
David Kupka (9)#
migration: Use api.env variables.
cermonger: Use private unix socket when DBus SystemBus is not available.
ipa-client-install: Do not (re)start certmonger and DBus daemons.
user-undel: Fix error messages.
client: Add support for multiple IP addresses during installation.
client: Add description of –ip-address and –all-ip-addresses to man page
Backup/resore authentication control configuration
vault: Limit size of data stored in vault
ipactl: Do not start/stop/restart single service multiple times
Endi Sukma Dewata (6)#
Fixed missing KRA agent cert on replica.
Added CLI param and ACL for vault service operations.
Fixed vault container ownership.
Added support for changing vault encryption.
Removed clear text passwords from KRA install log.
Using LDAPI to setup CA and KRA agents.
Fraser Tweedale (14)#
user-show: add –out option to save certificates to file
Fix otptoken-remove-managedby command summary
Give more info on virtual command access denial
Allow SAN extension for cert-request self-service
Add profile for DNP3 / IEC 62351-8 certificates
Work around python-nss bug on unrecognised OIDs
Fix default CA ACL added during upgrade
Fix KRB5PrincipalName / UPN SAN comparison
certprofile: add profile format explanation
Add permission for bypassing CA ACL enforcement
Prohibit deletion of predefined profiles
cert-request: remove allowed extensions check
certprofile: prevent rename (modrdn)
certprofile: remove ‘rename’ option
Jan Cholasta (14)#
spec file: Move /etc/ipa/kdcproxy to the server subpackage
spec file: Update minimum required version of krb5
install: Fix server and replica install options
ULC: Prevent preserved users from being assigned membership
spec file: Fix install with the server-dns subpackage
baseldap: Allow overriding member param label in LDAPModMember
vault: Fix param labels in output of vault owner commands
install: Fix replica install with custom certificates
vault: Fix vault-find with criteria
vault: Add container information to vault command results
spec file: Add Requires(post) on selinux-policy
cert renewal: Include KRA users in Dogtag LDAP update
cert renewal: Automatically update KRA agent PEM file
ldap: Make ldap2 connection management thread-safe again
Lenka Doudova (2)#
Automated test for stageuser plugin
Fix user tracker to reflect new user-del message
Martin Babinsky (12)#
ipa-ca-install: print more specific errors when CA is already installed
enable debugging of ntpd during client installation
fix broken search for users by their manager
ACI plugin: correctly parse bind rules enclosed in parentheses
test suite for user/host/service certificate management API commands
store certificates issued for user entries as userCertificate;binary
idranges: raise an error when local IPA ID range is being modified
fix typo in BasePathNamespace member pointing to ods exporter config
ipa-backup: archive DNSSEC zone file and kasp.db
ipa-restore: check whether DS is running before attempting connection
improve the handling of krb5-related errors in dnssec daemons
improve the usability of `ipa user-del –preserve` command
Martin Bašti (23)#
Prevent to rename certprofile profile id
Stageusedr-activate: show username instead of DN
copy-schema-to-ca: allow to overwrite schema files
fix selinuxusermap search for non-admin users
Validate adding privilege to a permission
sysrestore: copy files instead of moving them to avoind SELinux issues
Allow value ‘no’ for replica-certify-all attr in abort-clean-ruv subcommand
Py3: replace tab with space
DNS: Consolidate DNS RR types in API and schema
DNS: check if DNS package is installed
Remove ico files from Makefile
Use ‘mv -Z’ in specfile to restore SELinux context
ULC: Fix stageused-add –from-delete command
Fix upgrade of sidgen and extdom plugins
Add dependency to SSSD 1.13.1
Server Upgrade: Start DS before CA is started.
Add user-stage command
DNSSEC: fix forward zone forwarders checks
DNSSEC: remove “DNSSEC is experimental” warnings
Backup: back up the hosts file
Installer: do not modify /etc/hosts before user agreement
DNSSEC: backup and restore opendnssec zone list file
DNSSEC: remove ccache and keytab of ipa-ods-exporter
Milan Kubík (4)#
ipalib: pass api instance into textui in doctest snippets
spec file: update the python package names for libipa_hbac and libsss_nss_idmap
tests: Allow Tracker.dn be an instance of Fuzzy
ipatests: Take otptoken import test out of execution
Oleg Fayans (2)#
Added a user-friendly output to an import error
Temporary fix for ticket 5240
Petr Voborník (17)#
Become IPA 4.2.0
do not import memcache on client
webui: fix user reset password dialog
fix hbac rule search for non-admin users
webui: add Kerberos configuration instructions for Chrome
webui: fix regressions failed auth messages
webui: add LDAP vs Kerberos behavior description to user auth types
adjust search so that it works for non-admin users
validate mutually exclusive options in vault-add
add permission: System: Manage User Certificates
vault: normalize service principal in service vault operations
vault: validate vault type
vault: change default vault type to symmetric
fix missing information in object metadata
webui: add option to establish bidirectional trust
vault: fix vault tests after default type change
Become IPA 4.2.1
Petr Špaček (6)#
Create server-dns sub-package.
DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master
DNSSEC: Fix key metadata export
DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
Rob Crittenden (1)#
Use %license instead of %doc for packaging the license
Simo Sorce (1)#
Fix DNS records installation for replicas
Stanislav Laznicka (1)#
ipa-client-install: warn when IP used in –server
Tomáš Babej (24)#
ipalib: Fix missing format for InvalidDomainLevelError
trusts: Check for AD root domain among our trusted domains
ipaplatform: Add constants submodule
tests: user_plugin: Add preserved flag when –all is used
dcerpc: Expand explanation for WERR_ACCESS_DENIED
idviews: Check for the Default Trust View only if applying the view
tests: service_plugin: Make sure the cert is decoded from base64
tests: realmdomains_plugin: Add explanatory comment
tests: Version is currently generated during command call
tests: vault_plugin: Skip tests if KRA not available
tests: test_rpc: Create connection for the current thread
tests: test_cert: Services can have multiple certificates
dcerpc: Fix UnboundLocalError for ccache_name
dcerpc: Add get_trusted_domain_object_type method
idviews: Restrict anchor to name and name to anchor conversions
idviews: Enforce objectclass check in idoverride*-del
replication: Fix incorrect exception invocation
Fix incorrect type comparison in trust-fetch-domains
dcerpc: Simplify generation of LSA-RPC binding strings
adtrust-install: Correctly determine 4.2 FreeIPA servers
trusts: Detect domain clash with IPA domain when adding a AD trust
trusts: Detect missing Samba instance
winsync-migrate: Add warning about passsync
winsync-migrate: Expand the man page
Yuri Chornoivan (1)#
Fix minor typos