The FreeIPA team would like to announce FreeIPA 4.5.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and 26 will be available in the official COPR repository.

Highlights in 4.5.4#

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.5.4 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 30 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

#7179 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful.
#7175 [Backport 7143 to ipa-4-5] “unknown command ‘undefined’” error when changing user’s password via the web UI
#7173 Switch from externally-signed to self-signed CA fails
#7172 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC
#7146 ipa_otptoken_import.py fails to parse the correct suite defined under the AlrgorithmParameters
#7144 pkinit-status command fails after an upgrade from a pre-4.5 IPA
#7141 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
#7127 sssd.conf not updated after promoting client to promotion
#7126 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn’t have whomai plugin enabled and thus startup of Web UI fails
#7125 ipa-server-upgrade failes with “This entry already exists”
#7123 External CA renewal fails when IPA CA subject DN does not match “CN=Certificate Authority, {subject-base}”
#7120 Unable to set ca renewal master on replica
#7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
#7112 user-show command fails when sizelimit is configured to number <= number of entity which is user member of
#7108 ipa-backup broken because of cyclic import
#7106 TypeError in renew_ca_cert prevents from swiching back to self-signed CA
#7086 [ipatests] - add caless to cafull tests
#7083 failed ipa-server-upgrade , time out from dogtag services , custodia errors
#7074 IPA shouldn’t allow objectclass if not all in lower case
#7066 WebUI: All columns of user in group table are clickable
#7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
#7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com
#6999 ipa command throws backtrace instead of showing help with wrong syntax
#6979 Suggest user to install libyubikey package instead of traceback
#6952 Suggest CA installation command in KRA installation warning
#6622 [tests] ipatests.util.unlock_principal_password does not respect configured ldap_uri
#6605 make lint + make modifies PO files in place
#6592 [tracker] SELinux policy tracker for 4.5
#6582 Web UI: Change “Host Based” and “Role Based” to “Host-Based” and “Role-Based”
#6447 [WebUI] Remove offline version of WebUI
#6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’
#6176 Updating of dns system records rapidly slowdown uninstallation

Detailed changelog since 4.5.3#

Alexander Bokovoy (2)#

Make sure upgrade also checks for IPv6 stack commit #7083
OTP import: support hash names with HMAC- prefix commit #7146

Abhijeet Kasurde (1)#

Vault testcase improvement commit #7098

Alexander Koksharov (1)#

kra-install: better warning message commit #6952

Aleksei Slaikovskii (2)#

ipaclient.plugins.dns: Cast DNS name to unicode. commit #7185
Less confusing message for PKINIT configuration during install commit #7179

Christian Heimes (1)#

Block PyOpenSSL to prevent SELinux execmem in wsgi commit #5442

David Kreitschmann (2)#

Disable pylint in get_help function because of type confusion. commit
Store help in Schema before writing to disk commit

David Kupka (11)#

tests: Add LDAP URI to ldappasswd explicitly commit #6622
tests: certmap: Add test for user-{add,remove}-certmap commit #7105
tests: tracker: Add CertmapdataMixin tracker commit #7105
tests: certmap: Add test for certmapconfig-{mod,show} commit #7105
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105
tests: certmap: Test permissions for certmap commit #7105
tests: certmap: Add basic tests for certmaprule commands commit #7105
tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105
tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105
tests: tracker: Split Tracker into one-purpose Trackers commit #7105

Felipe Volpone (4)#

Changing idoverrideuser-* to treat objectClass case insensitively commit #7074
Fixing how sssd.conf is updated when promoting a client to replica commit #7127
Removing part of circular dependency of ipalib in ipaplaform commit #7108
Changing how commands handles error when it can’t connect to IPA server commit #6261

Florence Blanc-Renaud (5)#

ipa-cacert-manage renew: switch from ext-signed CA to self-signed commit #7173
Backport 4-5: Fix ipa-server-upgrade with server cert tracking commit #7141
Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists commit #7125
Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) commit #7106
Fix ipa config-mod –ca-renewal-master commit #7120

Fraser Tweedale (2)#

Fix external renewal for CA with non-default subject DN commit #7123
Restore old version of caIPAserviceCert for upgrade only commit #7097

Martin Basti (1)#

DNS update: reduce timeout for CA records commit #6176

Michal Reznik (3)#

test_caless: add replica ca-less to ca-full test (master caless) commit #7086
test_caless: add server_replica ca-less to ca-full test commit #7086
tests: fix external_ca test suite failing due to missing SKI commit #7099

Nathaniel McCallum (1)#

ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace commit #7035

Petr Čech (1)#

ipatests: Fix on logs collection commit #7214

Petr Vobornik (2)#

log progress of wait_for_open_ports commit #7083
control logging of host_port_open from caller commit #7083

Pavel Vomacka (9)#

WebUI: Fix calling undefined method during reset passwords commit #7175
WebUI: remove unused parameter from get_whoami_command commit #7175
Adds whoami DS plugin in case that plugin is missing commit #7126
WebUI: remove creating js/libs symlink from makefile commit #6447
WebUI: Remove plugins symlink as it is unused commit #6447
Remove all old JSON files commit #6447
Revert “Web UI: Remove offline version of Web UI” commit
WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582
WebUI: fix incorrectly shown links in association tables commit #7066

Rob Crittenden (1)#

Collect group membership without a size limit commit #7112

Sumit Bose (1)#

ipa-kdb: reinit trusted domain data for enterprise principals commit #7172

Stanislav Laznicka (4)#

travis: make tests fail if pep8 does not pass commit
Use correct container for ipa-4-5 testing commit
pkinit: don’t fail when no pkinit servers found commit #7144
travis: temporary workaround for Travis CI commit

Thierry Bordaz (1)#

NULL LDAP context in call to ldap_search_ext_s during search commit #7017

Tibor Dudlák (1)#

otptoken_yubikey.py: Removed traceback when package missing. commit #6979

Tomas Krizek (11)#

Become IPA 4.5.4 commit
Update contributors commit
Update translations commit
prci: use f26 template for ipa-4-5 commit
ipatests: collect log after ipa-ca-install commit #7060
dnssec: fix localhsm.py utility script commit #7116
prci: rename template to ci-ipa-4-5-f25 commit
prci: add caless tests commit
build: checkout *.po files at the end of makerpms.sh commit #6605
freeipa-pr-ci: enable pull-request CI commit
4.5 set back to git snapshot commit

Highlights in 4.5.4

Contents