Jump to: navigation, search

Releases/4.4.2

Release date Released 2016-10-13

The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.2

Known Issues

  • ipa-ca-install fails on replica when master is CA-less (#6226).
  • ipa cert-find command doesn't return revocation reason in output, Web UI then cannot display proper state of a certificate (#6269).

Bug fixes

FreeIPA 4.4.2 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 40 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #4802 Investigate & document if TLS 1.2 is properly supported
  • #5557 Strict dependency of optional package pam_krb5
  • #5644 dnsrecord-del incompatible with admintools < ver 3.2 and server >= ver 3.2
  • #5725 failed ipa-server-install --uninstall returns exit code 0
  • #5754 ipa-client-install man page has incorrect data on hostname
  • #5755 test_0006_service_show in test_cert_plugin uses global variable wrong
  • #5809 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes
  • #5814 Change IP address validation errors to warnings [support for cloud environments]
  • #5818 webui: "Restore" option is not available for a preserved user in detailed info
  • #5822 Cannot create user with username exactly 255 charaters long
  • #5855 method get_primary_key_from_dn does not work for netgroups properly
  • #6057 adding two way non transitive(external) trust displays internal error on the console
  • #6095 ipa command stuck forever on higher versioned client with lower versioned server
  • #6155 [tracker] Failed to configure CA instance
  • #6190 Regressions found by test: ipa.test_ipalib.test_parameters
  • #6203 dnsrecord-add does not prompt for missing record parts internactively
  • #6212 Pretty-print mismatches in tests
  • #6216 webui: cert_revoke should use --cacn to set correct CA when revoking certificate
  • #6221 Certificate revocation in service-del and host-del isn't aware of Sub CAs
  • #6230 installer: external CA step 1 successful but reports ScriptError
  • #6238 Unable to view certificates issued by Sub CA in Web UI
  • #6256 [tracker] Revoke certificate on lightweight CA deletion
  • #6257 Implement ca-enable/disable commands.
  • #6260 cert-request: use better error message when CA is disabled
  • #6273 Command autocompletion without installed server prints an error message
  • #6279 CLI always sends default command version
  • #6285 Tests: Regex errors in trust tests
  • #6288 ipa-certupdate fails with "CA is not configured"
  • #6294 TypeError in installer
  • #6296 client-install with IPv6 address fails on link-local address (always)
  • #6300 Remove the assertion of incorrect return code from replica_promotion tests
  • #6301 Fix replica_promotion tests
  • #6304 cert-find --certificate does not work for certificates not in LDAP
  • #6306 Add cleanup to integration trust tests
  • #6309 cert-request does not raise error when CSR does not match profile pattern
  • #6312 Failing ldap backend test because service not found
  • #6313 Failing test in test_ipalib/test_plugable
  • #6322 Add krb5kdc restart to integration trust tests
  • #6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
  • #6326 Update host test with ipa-join
  • #6327 regression in `ipa cert-revoke --help`
  • #6328 ipa trust-fetch-domains throws internal error
  • #6329 WinSync users who have First.Last casing creates users who can have their password set
  • #6330 Invalid description for --hostname option in ipa-server-install man page
  • #6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in outoftree suite
  • #6338 [Tests] Remove SSSD restart from integration tests
  • #6341 Certificate UI on details page shows add button even if user doesn't have write right
  • #6349 Tests: incomplete cleanup of CA plugin XMLRPC tests
  • #6366 Extend CA ACL tests for test cases with CSR containing Subject Alt Name
  • #6368 otpd doesn't properly handle closing of ldap connection
  • #6373 test_util.test_assert_deepequal fails
  • #6382 Test: disable test for wrong client domain in domain level 0
  • #6385 ipa-server-install --external-ca fails with AttributeError
  • #6390 python-dns 1.15.0 breaks FreeIPA
  • #6391 make FreeIPA codebase ready for pylint in Fedora rawhide
  • #5791 CA fails to start after doing ipa-ca-install --external-ca

Detailed changelog since 4.4.1

Christian Heimes (1)

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 cgit #6278

David Kupka (2)

  • UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling cgit #6385
  • schema cache: Store and check info for pre-schema servers cgit #6095

Florence Blanc-Renaud (2)

  • Fix regression introduced in ipa-certupdate cgit #6288
  • Fix ipa-certupdate for CA-less installation cgit #6288

Fraser Tweedale (10)

  • Add commentary about CA deletion to plugin doc cgit #6256
  • spec: require Dogtag >= 10.3.5-6 cgit #6256
  • cert-request: raise error when request fails cgit #6309
  • Make host/service cert revocation aware of lightweight CAs cgit #6221
  • cert-request: raise CertificateOperationError if CA disabled cgit #6260
  • Use Dogtag REST API for certificate requests cgit #3473, #6260
  • Add HTTPRequestError class cgit #3473, #6260
  • Allow Dogtag RestClient to perform requests without logging in cgit #3473, #6260
  • Add ca-disable and ca-enable commands cgit #6257
  • Track lightweight CAs on replica installation cgit #6019

Jan Cholasta (8)

  • test_plugable: update the rest of test_init cgit #6313
  • dns: re-introduce --raw in dnsrecord-del cgit #5644
  • client: remove hard dependency on pam_krb5 cgit #5557
  • cert: fix cert-find --certificate when the cert is not in LDAP cgit #6304
  • dns: fix crash in interactive mode against old servers cgit #6203
  • dns: prompt for missing record parts in CLI cgit #6203
  • dns: normalize record type read interactively in dnsrecord_add cgit #6203
  • cli: use full name when executing a command cgit #6279

Lenka Doudova (11)

  • Tests: Certificate revocation cgit #6349
  • Tests: Remove invalid certplugin tests cgit #6349
  • Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap cgit #6323
  • Tests: Fix host attributes in ipa-join host test cgit #6326
  • Tests: Update host test with ipa-join cgit #6326
  • Tests: Add krb5kdc.service restart to integration trust tests cgit #6322
  • Tests: Remove SSSD restart from integration tests cgit #6338
  • Tests: Fix integration sudo tests setup and checks cgit #6262
  • Tests: Fix failing ldap.backend test cgit #6312
  • Tests: Add cleanup to integration trust tests cgit #6306
  • Tests: Fix regex errors in integration trust tests cgit #6285

Martin Babinsky (13)

  • disable warnings reported by pylint-1.6.4-1 cgit #6391
  • mod_nss: use more robust quoting of NSSNickname directive cgit #5809
  • Move character escaping function to ipautil cgit #5809
  • Make Continuous installer continuous only during execution phase cgit #5725
  • use separate exception handlers for executors and validators cgit #5725
  • ipa passwd: use correct normalizer for user principals cgit #6329
  • trust-fetch-domains: contact forest DCs when fetching trust domain info cgit #6328
  • netgroup: avoid extraneous LDAP search when retrieving primary key from DN cgit #5855
  • ldapupdate: Use proper inheritance in BadSyntax exception cgit #6294
  • raise ValidationError when deprecated param is passed to command cgit #6190
  • Always fetch forest info from root DCs when establishing one-way trust cgit #6057
  • factor out `populate_remote_domain` method into module-level function cgit #6057
  • Always fetch forest info from root DCs when establishing two-way trust cgit #6057

Martin Basti (17)

  • test_text: add test ipa.pot file for tests cgit #6333
  • Test: dont use global variable for iteration in test_cert_plugin cgit #5755
  • Use constant for user and group patterns cgit #5822
  • Fix regexp patterns in parameters to not enforce length cgit #5822
  • Add check for IP addresses into DNS installer cgit #5814
  • Fix missing config.ips in promote_check cgit #5814
  • Abstract procedures for IP address warnings cgit #5814
  • Catch DNS exceptions during emptyzones named.conf upgrade cgit #6205
  • Start named during configuration upgrade. cgit #6205
  • Tests: extend DNS cmdline tests with lowercased record type cgit #6203
  • Show warning when net/broadcast IP address is used in installer cgit #5814
  • Allow multicast addresses in A/AAAA records cgit #5814
  • Allow broadcast ip addresses cgit #5814
  • Allow network ip addresses cgit #5814
  • Fix parse errors with link-local addresses cgit #6296
  • Fix ScriptError to always return string from __str__ cgit #6294
  • Set zanata project-version fo 4.4 branch cgit

Milan Kubík (3)

  • ipatests: Implement tests with CSRs requesting SAN cgit #6366
  • ipatests: Fix name property on a service tracker cgit #6366
  • ipatests: provide context manager for keytab usage in RPC tests cgit #6366

Nathaniel McCallum (1)

  • Properly handle LDAP socket closures in ipa-otpd cgit #6368

Oleg Fayans (4)

  • Test: disabled wrong client domain tests for domlevel 0 cgit #6382
  • Changed addressing to the client hosts to be replicas cgit #6287
  • Several fixes in replica_promotion tests cgit #6301
  • Removed incorrect check for returncode cgit #6300

Petr Spacek (1)

  • Fix compatibility with python-dns 1.15.0 cgit #6390

Pavel Vomacka (5)

  • WebUI: hide buttons in certificate widget according to acl cgit #6341
  • Add 'Restore' option to action dropdown menu cgit #5818
  • WebUI add support for sub-CAs while revoking certificates cgit #6216
  • WebUI: Fix showing certificates issued by sub-CA cgit #6238
  • Add support for additional options taken from table facet cgit #6238

Stanislav Laznicka (5)

  • Make installer quit more nicely on external CA installation cgit #6230
  • Fix test_util.test_assert_deepequal test cgit #6373
  • Pretty-print structures in assert_deepequal cgit #6212
  • Remove update_from_dict() method cgit #6311
  • Updated help/man information about hostname cgit #5754

Tomas Krizek (4)

  • Keep NSS trust flags of existing certificates cgit #5791
  • Update ipa-server-install man page for hostname cgit #6330
  • Add help info about certificate revocation reasons cgit #6327
  • Don't show error messages in bash completion cgit #6273