Jump to: navigation, search


Revision as of 10:55, 3 December 2018 by Ab (talk | contribs) (Created page with " {{ReleaseDate|2018-12-03}} The FreeIPA team would like to announce FreeIPA 4.7.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2018-12-03

The FreeIPA team would like to announce FreeIPA 4.7.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 and Fedora 28 will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR repository] and also published to Fedora 28 and Fedora 29 updates.

Highlights in 4.7.2

Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.

Known Issues

Bug fixes

FreeIPA 4.7.2 is a stabilization release for the features delivered as a part of 4.7 release series.

There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • 7779 Update PR-CI definitions to use Fedora 29
  • 7776 authselect 1.0.2 fails on unknown feature
  • 7772 pylint 2.2.0 violations
  • 7769 Installer does not detect that kadmin port 749/UDP is blocked
  • 7767 make fasttest errors because of missing python3-lib389
  • 7758 pylint-2.1.1 errors on Fedora 29
  • 7754 Replace archaic term messagebus with dbus
  • 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
  • 7741 Smart card advise script uses hard-coded Python interpreter
  • 7729 Bad output on failed client installation rollback
  • 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors
  • 7723 NTP options fails on ipa replica
  • 7671 Remove --no-sssd and --noac options
  • 7658 [RFE] sysadm_r should be included in default SELinux user map order
  • 7651 ipa-replica-install --setup-kra broken on DL1
  • 7408 ipa-replica-install command should display proper message on the console.
  • 5378 Incorrect error message at wrong password from private key file

Detailed changelog since 4.7.1

Alexander Bokovoy (6)

  • Become IPA 4.7.2
  • ipa-kdb: reduce LDAP operations timeout to 30 seconds
  • ipa-4-7: merge translations from zanata
  • ipaserver.install.adtrust: fix CID 323644
  • net groupmap: force using empty config when mapping Guests
  • adtrust: define Guests mapping after creating cifs/ principal

Adam Williamson (1)

  • Fix authselect invocations to work with 1.0.2

Christian Heimes (35)

  • Update temp commit template to F29
  • Increase debugging for blocked port 749 and 464
  • Address misc pylint issues in CLI scripts
  • pylint: also verify scripts
  • pylint: Fix duplicate-string-formatting-argument
  • pylint 2.2: Fix unnecessary pass statement
  • PR-CI: Restart rpcbind when it blocks kadmin port
  • Fix pytest deprecation warning
  • certdb: validate server cert signature
  • Require pylint 2.1.1-2
  • Silence comparison-with-itself in tests
  • Fix raising-format-tuple
  • Fix various dict related pylint warnings
  • Fix Module 'pytest' has no 'config' member
  • Fix useless-import-alias
  • Fix comparison-with-callable
  • Address consider-using-in
  • Ignore consider-using-enumerate for now
  • Address inconsistent-return-statements
  • Address pylint violations in lite-server
  • Ignore W504 code style like in travis config
  • Fix test_cli_fsencoding on Python 3.7, take 2
  • Replace messagebus with modern name dbus
  • Copy-paste error in permssions plugin, CID 323649
  • Allow ipaapi user to access SSSD's info pipe
  • Fix test_cli_fsencoding on Python 3.7
  • ipapwd_pre_mod: NULL ptr deref
  • ipadb_mspac_get_trusted_domains: NULL ptr deref
  • has_krbprincipalkey: avoid double free
  • Require Dogtag 10.6.7-3
  • Use tasks.install_master() in external_ca tests
  • Keep Dogtag's client db in external CA step 1
  • Replace hard-coded interpreter with sys.executable
  • Don't abuse strncpy() length limitation
  • Fix ipadb_multires resource handling

François Cami (3)

  • Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
  • Add a shared-vault-retrieve test
  • Add sysadm_r to default SELinux user map order

Florence Blanc-Renaud (19)

  • ipatests: add upgrade test for double-encoded cacert
  • ipa upgrade: handle double-encoded certificates
  • ipatests: add xmlrpc test for user|host-find --certificate
  • ipaldap.py: fix method creating a ldap filter for IPACertificate
  • ipatests: fix test_replica_uninstall_deletes_ruvs
  • ipatests: add test for ipa-replica-install options
  • ipa-replica-install: password and admin-password options mutually exclusive
  • freeipa.spec.in: add BuildRequires for python3-lib389
  • ipatests: add integration test for "Read radius servers" perm
  • radiusproxy: add permission for reading radius proxy servers
  • tests: add xmlrpc test for ipa user-add --radius-username
  • ipa user-add: add optional objectclass for radius-username
  • ipatest: add functional test for ipa-backup
  • ipa-backup: restart services before compressing the backup
  • ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
  • ipatests: fix path in expected error message
  • Bump requires 389-ds-base
  • ipa tests: CA less
  • certdb: provide meaningful err msg for wrong PIN

Francisco Trivino (2)

  • PR-CI: Move to Fedora 29 template, version 0.2.0
  • prci_definitions: update vagrant memory topology requirements

Fraser Tweedale (6)

  • certdb: validate certificate signatures
  • Print correct subject on CA cert verification failure
  • certdb: ensure non-empty Subject Key Identifier
  • ipaldap: avoid invalid modlist when attribute encoding differs
  • rpc: always read response
  • Restore KRA clone installation integration test

Varun Mylaraiah (1)

Petr Vobornik (1)

  • ipa-advise: update url of cacerdir_rehash tool

Rob Crittenden (10)

  • Add support for multiple certificates/formats to ipa-cacert-manage
  • Add tests for ipa-cacert-manage install
  • Enable replica install info logging to match ipa-server-install
  • Demote log message in custodia _wait_keys to debug
  • Pass a list of values into add_master_dns_records
  • Collect the client and server uninstall logs in tests
  • Fix misleading errors during client install rollback
  • Remove the authselect profile warning if sssd was not configured.
  • Handle NTP configuration in a replica server installation
  • Enable LDAP debug output in client to display TLS errors in join

Stanislav Levin (1)

  • Move ipa's systemd tmpfiles from /var/run to /run

Sergey Orlov (2)

  • ipatests: add test for ipa-restore in multi-master configuration
  • ipatests: add test for ipa-advise for enabling sudo for admins group

sudharsanomprakash (1)

  • Don't use deprecated Apache Access options.

Thomas Woerner (5)

  • Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
  • Fix ressource leak in client/config.c get_config_entry
  • Update annobin to fix continuous-integration/travis-ci/pr issues
  • Find orphan automember rules
  • ipaclient: Remove --no-sssd and --no-ac options