Jump to: navigation, search


Revision as of 12:59, 14 December 2019 by Ab (talk | contribs) (Created page with " {{ReleaseDate|2019-12-14}} The FreeIPA team would like to announce FreeIPA 4.8.4 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2019-12-14

The FreeIPA team would like to announce FreeIPA 4.8.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 and 31 will be available in the official repositories.

Highlights in 4.8.4

FreeIPA 4.8.4 uses system-provided crypto policy on Fedora and RHEL-based distributions. It enables TLS 1.3 support in its HTTPS end-points.

A support to manage list of group managers has been added to both IPA CLI and Web UI. A group now can have a list of group managers who are allowed to add and remove group members. This allows for a more complex per-group permission granting.


Known Issues

Bug fixes

FreeIPA 4.8.4 is a stabilization release for the features delivered as a part of 4.8.0 series.

There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #6951 Update samba config file and use sss idmap module
  • #7323 IPv6 hack for Travis CI
  • #7804 `ipa otptoken-sync` fails with stack trace
  • #7958 traceback in idview
  • #7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
  • #8082 Default client configuration breaks ssh in FIPS mode.
  • #8104 RFE: Disable Stale/Inactive Users - Upstream Design Document
  • #8118 Run smoke tests in FIPS mode
  • #8120 Invisible part of notification area in Web UI intercepts clicks of some page elements
  • #8122 group-add-member-manager does not report errors
  • #8123 [WebUI] Finish group membership management UI
  • #8125 Use default crypto policy for TLS and enable TLS 1.3 support
  • #8129 Tests: Replace paramiko with OpenSSH
  • #8131 covscan memory leaks report
  • #8133 check_client_configuration() no longer works with IPA_CONFDIR
  • #8134 ipa user-add is inefficient
  • #8137 reinstall failed in adding delegation layout
  • #8138 Man page ipa-cacert-manage does not display correctly on RHEL
  • #8142 check Not Before / Not After in externally signed CA sanity check
  • #8143 service.ldap_disable() does not remove "enabledService"
  • #8144 test_nfs.py: umount.nfs4: /home: device is busy
  • #8148 add "systemctl restart sssd" to warning message when adding trust agents to replicas
  • #8149 SIDs of AD domains do not display in ipa-client-samba installer

Detailed changelog since 4.8.2

Armando Neto (1)

Alexander Bokovoy (8)

  • ipa-client-samba: map domain sid of trust domain properly for display commit #8149
  • DNS install check: allow overlapping zone to be from the master itself commit
  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
  • covscan: free encryption types in case there is an error commit #8131
  • Become FreeIPA 4.8.3 commit
  • Add Authentication Indicator Kerberos ticket policy options commit #8001
  • Allow presence of LDAP attribute options commit #8001
  • Do not run trust upgrade code if master lacks Samba bindings commit #8001

Anuja More (1)

  • ipatests : Login via ssh using private-key for ipa-user should work. commit

Christian Heimes (18)

Cédric Jeanneret (1)

  • Update selinux-policy minimal requirement commit

François Cami (4)

  • ipatests: fix pr-ci templates' indentation commit
  • ipatests/test_nfs.py: wait before umount commit #8144
  • adtrust.py: mention restarting sssd when adding trust agents commit #8148
  • DSU: add Design for Disable Stale Users commit #8104

Florence Blanc-Renaud (7)

  • ipa-cacert-manage man page: fix indentation commit #8138
  • ipatests: fix TestMigrateDNSSECMaster teardown commit #7985
  • trust upgrade: ensure that host is member of adtrust agents commit
  • ipatests: fix test_crlgen_manage commit
  • ipatests: fix teardown commit
  • ipatests: generic uninstall should call ipa server-del commit #7985
  • Nightly definition: use right template for krbtpolicy commit #8001

MIZUTA Takeshi (1)

  • Add config that maintains existing content to ipa-client-install manpage commit

Rob Crittenden (2)

  • CVE-2019-10195: Don't log passwords embedded in commands in calls using batch commit
  • Add integration test for Kerberos ticket policy commit #8001

Sumit Bose (1)

  • ipa-kdb: Remove keys if password auth is disabled commit #8001

Sergey Orlov (1)

  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951

Simo Sorce (1)

  • Make sure to have storage space for tag commit

Serhii Tsymbaliuk (2)

  • WebUI: Fix notification area layout commit #8120
  • WebUI: Fix adding member manager for groups and host groups commit #8123

Timo Aaltonen (1)

  • Debian: Fix font-awesome path. commit

Thomas Woerner (2)

  • Enable TestInstallMasterDNSRepeatedly in prci_definitions commit
  • Test repeated installation of the primary with DNS enabled and domain set commit