The FreeIPA team would like to announce FreeIPA 4.5.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.

Highlights in 4.5.2#

5860: depracate –no-sssd option

Option ‘–no-sssd’ has been deprecated because SSSD is recommened to use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.5.2 is a stabilization release for the features delivered as apart of 4.5.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

#7020 Installation of KRA replica fails
#7015 allow to modify list of UPNs of a trusted forest
#7001 Do not send Max-Age in ipa_session cookie to avoid breaking older clients
#7000 Provide a simple command to issue KDC certificates on a IPA master
#6993 certauth: use canonical principal for lookups
#6982 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master
#6981 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
#6977 Simple service uninstallers must be able to handle missing service files gracefully
#6972 Replica installation grants HTTP principal access in WebUI
#6966 Document that port 8080 needs to be open on IPA masters for cert-find
#6965 ipa-replica-manage del replica.name fails
#6963 ipa certmaprule change not reflected in krb5kdc workers
#6958 [tracker] SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring
#6948 services entries missing krbCanonicalName attribute.
#6937 Provide an API command to retrieve PKINIT status in the FreeIPA topology
#6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
#6935 ipa-replica-conncheck fails when there is no ssh executable on the master
#6885 ipa cert-show does not raise error if no file name specified
#6867 [ipa-replica-install] - KDC has no support for encryption type
#6800 Investigate how privilege separation feature will work after DL0->DL1 update
#6796 WSGI fails with recursion error in GSSAPI
#6749 “ipa: ERROR: an internal error has occurred” on executing command “ipa cert-request –add” after upgrade
#6736 Add pkinit_indicator option to KDC configuration
#6572 server-del doesn’t remove dns-server configuration from ldap
#5860 depracate –no-sssd option
#5788 user-add postcallback is not efficient when –noprivate flag is set
#5406 ipa-client-install should not use hardcoded admin principal

Detailed changelog since 4.5.1#

Alexander Bokovoy (4)#

trust-mod: allow modifying list of UPNs of a trusted forest commit #7015
ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736
Fix index definition for ipaAnchorUUID commit #6975
krb5: make sure KDC certificate is readable commit #6973

David Kupka (1)#

kra: promote: Get ticket before calling custodia commit #7020

Felipe Volpone (2)#

Changing cert-find to go through the proxy instead of using the port 8080 commit #6966
Changing cert-find to do not use only primary key to search in LDAP. commit #6948

Florence Blanc-Renaud (1)#

ipa-replica-conncheck: handle ssh not installed commit #6935

Jan Cholasta (4)#

server upgrade: do not enable PKINIT by default commit #7000
pkinit manage: introduce ipa-pkinit-manage commit #7000
server certinstall: update KDC master entry commit #7000
httpinstance: wait until the service entry is replicated commit #6867

Martin Babinsky (10)#

Prepare advise plugin for smart card auth configuration commit #6982
Extend the advice printing code by some useful abstractions commit #6982
fix incorrect suffix handling in topology checks commit #6965
only stop/disable simple service if it is installed commit #6977
test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
Add `pkinit-status` command commit #6937
Add the list of PKINIT servers as a virtual attribute to global config commit #6937
Add an attribute reporting client PKINIT-capable servers commit #6937
Refactor the role/attribute member reporting code commit #6937
Allow for multivalued server attributes commit #6937

Martin Basti (4)#

Only warn when specified server IP addresses don’t match intf commit #2715, #4317
Add remote_plugins subdirectories to RPM commit #6927
custodia dep: require explictly python2 version commit #6962
4.5 set back to git snapshot commit

Pavel Vomacka (4)#

WebUI: add support for changing trust UPN suffixes commit #7015
Bump version of python-gssapi commit #6796
Turn off OCSP check commit #6981, #6982
Change python-cryptography to python2-cryptography commit #6749

Sumit Bose (2)#

ipa-kdb: use canonical principal in certauth plugin commit #6993
ipa-kdb: reload certificate mapping rules periodically commit #6963

Simo Sorce (3)#

Revert setting sessionMaxAge for old clients commit #7001
Add code to be able to set default kinit lifetime commit #7001
Fix rare race condition with missing ccache file commit

Stanislav Laznicka (6)#

rpc: avoid possible recursion in create_connection commit #6796
rpc: preparations for recursion fix commit #6796
Avoid possible endless recursion in RPC call commit #6796
kdc.key should not be visible to all commit #6973
Remove pkinit-anonymous command commit #6936
ca/cert-show: check certificate_out in options commit #6885

Tibor Dudlák (3)#

server.py: Removes dns-server configuration from ldap commit #6572
sssd.py: Deprecating no-sssd option. commit #5860
client.py: Replace hardcoded ‘admin’ with options.principal commit #5406

Tibor Dudlák (1)#

user.py: replace user_mod with ldap.update_entry() commit #5788

Tomas Krizek (2)#

Become IPA 4.5.2 commit
Update translations commit

Highlights in 4.5.2

Contents