Jump to: navigation, search


Revision as of 07:07, 8 July 2015 by Mkosek (talk | contribs)
Release date Released 2015-07-08

The FreeIPA team is proud to announce FreeIPA v4.2.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository.

Highlights in 4.2


  • Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules (ticket, design)
  • Support One-Way Trust to Active Directory (ticket, design)
  • User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - preserved - to special tree and re-activated when user returns, preserving it's UID/GID (ticket, design)
  • Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! (ticket, design, implementation)
  • Datepicker is now used for datetime fields in the Web UI (ticket)
  • Upgrade process was overhauled. There is now single upgrade tool (ipa-server-upgrade) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. (ticket, design)
  • Service constrained delegation rules can be now added by UI and CLI (ticket, design)
  • FreeIPA Web UI now provides API browser and documentation. See IPA Server - API Browser tab (ticket)
  • Access control instructions were updated so that hosts can create their own services (ticket)
  • FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service (ticket, design)
  • FreeIPA Web Server no longer use deprecated mod_auth_kerb but switched to the modern mod_auth_gssapi (ticket)
  • New automated migration tool from winsync to ID Views (ticket, design)
  • migrate-ds command can now search the migrated users and groups with different scope
  • DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment Recommendations for DNS.
  • ipa migrate-ds command can now run with different search scopes (ticket)
  • And many other small improvements or bug fixes!

Changes to upgrade

The server still upgrades automatically during RPM update. However, ipactl start now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when ipa-server-upgrade was not run during RPM update (for example during FedUp Fedora upgrade).

Update files (files in /usr/share/ipa/updates/) format was changed. Namely:

  • Updates are not merged, update files are applied one at a time (ticket)
  • Update entries no longer support CSV - commas can be now freely used in the added attributes
  • Update can now use base64 values (ticket)
  • Update plugins are now not run automatically, but when referenced from update files (plugin: <plugin name>)


Upgrade instructions are available on the Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.1