The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository
Highlights in 4.3.2#
Enhancements#
Bug fixes#
fixed upgrade bug on servers without CA #5958
fixed installation of server with DNS if A record didn’t exist #5962
fixed issue where A/AAAA DNS records were not created for CA #5966
fixed installation of CA less replica on domain level 1 #5721
fixed forward zone conflicts with automatic empty zones from BIND #5710
fixed race condition with multiple simultaneous request from the same principal #5653
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.3.2#
Abhijeet Kasurde (2)#
Added description related to ‘status’ in ipactl man page
Updated ipa command man page
Alexander Bokovoy (1)#
otptoken: support Python 3 for the qr code
David Kupka (3)#
man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
installer: positional_arguments must be tuple or list of strings
installer: index() raises ValueError
Florence Blanc-Renaud (2)#
Do not allow installation in FIPS mode
Fix session cookies
Fraser Tweedale (5)#
caacl: correctly handle full user principal name
Prevent replica install from overwriting cert profiles
Detect and repair incorrect caIPAserviceCert config
upgrade: do not try to start CA if not configured
Move normalize_hostname to where it is expected
Jan Cholasta (4)#
spec file: bump minimum required pki-core version
build: fix client-only build
makeapi: use the same formatting for `int` and `long` values
replica install: do not set CA renewal master flag
Lenka Doudova (2)#
WebUI: Test creating user without private group
Test fix: Cleanup for host certificate
Martin Babinsky (1)#
replica-prepare: do not add PTR records if there is no IPA managed reverse zone
Martin Bašti (18)#
Add missing pre_common_callback to stageuser_add
Revert “ipatests: extend permission plugin test with new expected output”
make: fail when ACI.txt or API.txt differs from values in source code
Upgrade: always start CA
Set proper zanata project-version
Translations: remove deprecated locale configuration
Test: fix failing host_test
Fix: exceptions in DNS tests should not have data attribute
Translations: update translations for IPA 4.3.x
Fix resolve_rrsets: RRSet is not hashable
Translations: update ipa-4-3 translations
Revert “Switch /usr/bin/ipa to Python 3”
Use python2 for ipa cli
Replica promotion: use the correct IPA domain for replica
CA replica promotion: add proper CA DNS records
CA replica promotion: fix forgotten import
Fix replica install with CA
Use copy when replacing files to keep SELinux context
Milan Kubík (3)#
ipatests: fix for change_principal context manager
ipatests: Add test case for requesting a certificate with full principal.
spec: Add python-sssdconfig dependency for python-ipatests package
Oleg Fayans (9)#
Added a kdestroy call to clean ccache at master/client uninstallation
Added 5 more tests to Replica Promotion testsuite
Fixed a failure in legacy_client tests
Add test if replica is working after domain upgrade
Improve reporting of failed tests in topology test suite
Bugfixes in managed topology tests
A workaround for ticket N 5348
Increased certmonger timeout
Test for incorrect client domain
Pavel Vomacka (3)#
Add X-Frame-Options and frame-ancestors options
Add ‘skip overlap check’ checkbox into add zone dialog
Add ‘skip overlap check’ checkbox to the add dns forward zone dialog
Petr Viktorin (23)#
dns plugin: Fix zone normalization under Python 3
sysrestore: Iterate over a list of dict keys
test_xmlrpc: Use absolute imports
xmlrpc_test: Rename exception instance before working with it
radiusproxy plugin: Use str(error) rather than error.message
xmlrpc_test: Expect bytes rather than strings for binary attributes
ipalib.rpc: Send base64-encoded data as string under Python 3
range plugin tests: Use bytes with MockLDAP under Python 3
radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
certprofile plugin: Use binary mode for file with binary data
test_add_remove_cert_cmd: Use bytes for base64.b64encode()
Switch /usr/bin/ipa to Python 3
Fix remaining relative import and enable Pylint check
ipalib.cli: Improve reporting of binary values in the CLI
test_cert_plugin: Encode ‘certificate’ for comparison with ‘usercertificate’
ipaldap: Keep attribute names as text, not bytes
ipapython.secrets.kem: Use ConfigParser from six.moves
test_topology_plugin: Don’t rely on order of an attribute’s values
test_rpcserver: Expect updated error message under Python 3
ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
ipaldap: Convert dict items to list before iterating
test_ipaserver.test_ldap: Adjust tests to Python 3’s KeyView
Petr Voborník (2)#
mod_auth_gssapi: enable unique credential caches names
Become IPA 4.3.2
Petr Špaček (30)#
Remove function ipapython.ipautil.host_exists()
Extend installers with –forward-policy option
Move automatic empty zone list into ipapython.dnsutil and make it reusable
Add assert_absolute_dnsname() helper to ipapython.dnsutil
Move function is_auto_empty_zone() into ipapython.dnsutil
Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
Add function ipapython.dnsutil.inside_auto_empty_zone()
Auto-detect default value for –forward-policy option in installers
DNS: Fix upgrade - master to forward zone transformation
DNS installer: accept –auto-forwarders option in unattended mode
Batch command: avoid accessing potentially undefined context.principal
Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
Use root_logger for verify_host_resolvable()
Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
Add ipaDNSVersion option to dnsconfig* commands and use new attribute
DNS upgrade: separate backup logic to make it reusable
Add function ipapython.dnsutil.related_to_auto_empty_zone()
DNS upgrade: change forwarding policy to = only for conflicting forward zones
DNS upgrade: change global forwarding policy in LDAP to “only” if private IPs are used
DNS upgrade: change global forwarding policy in named.conf to “only” if private IPs are used
DNS: Warn if forwarding policy conflicts with automatic empty zones
DNS: Fix realm domains integration with DNS zone add.
client: Share validator and domain name normalization with server install
DNS: Fix tests for realm domains integration with DNS zone add
client-install: do not fail if DNS times out during DNS update generation
Use NSS for name->resolution in IPA installer
DNS: Remove unnecessary DNS check from installer
Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
Fix internal errors in host-add and other commands caused by DNS resolution
Stanislav Laznicka (9)#
replica-manage: fail nicely when DM psswd required
ipa-replica-manage refactoring
abort-clean/list/clean-ruv now work for both suffixes
Moved password check from clean_dangling_ruv
Fix to clean-dangling-ruv for single CA topologies
Added pyusb as a dependency
Deprecated the domain-level option in ipa-server-install
fixes premature sys.exit in ipa-replica-manage del
Remove dangling RUVs even if replicas are offline
Thierry Bordaz (1)#
Make sure ipapwd_extop takes precedence over passwd_modify_extop