Jump to: navigation, search


Revision as of 11:26, 4 December 2020 by Ab (talk | contribs) (Created page with " {{ReleaseDate|2020-12-04}} The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 2! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2020-12-04

The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 2!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora Rawhide will be available from the official repository soon.

We are not planning producing builds of release candidates for the Fedora 32/33 at this moment. Final FreeIPA 4.9.0 release might be produced for Fedora 33 depending on upgrade test results.

Highlights in 4.9.0 release candidate 2

Bug fixes

FreeIPA 4.9.0 release candidate 2 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 10 bug-fixes since FreeIPA 4.9.0 release candidate 1. Details of the bug-fixes can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #3299 [RFE] Switch the client to JSON RPC
  • #7534 (rhbz#1569011) Investigate failures to restore 389-ds attriubtes on upgrade failure
  • #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
  • #7975 Accept 389-ds JSON replication status messages
  • #8424 Add ipa.p11-kit to ipa-client-install man page files list
  • #8514 (rhbz#1885126) Nightly failure (enforcing mode) in test_acme.py::TestACME::test_mod_md
  • #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
  • #8531 RFE: Use host keytab to obtain ticket for ipa-certupdate
  • #8545 (rhbz#1869605) KRA Transport and Storage Certificates do not renew
  • #8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes
  • #8581 Nightly test failure in test_acme.py::TestACME::test_third_party_certs (updates-testing)
  • #8587 client-only build fails due to unconditional use of pwquality features
  • #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
  • #8590 Nightly test failure in test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default::setup
  • #8595 Allow ipa-ca as a name for an IPA server
  • #8597 (rhbz#1901068) Traceback while doing ipa-backup
  • #8601 Nightly test failure in test_trust.py::TestTrust::test_subordinate_suffix
  • #8603 (rhbz#1902727) ipa-acme-manage enable fails after upgrade

Detailed changelog since 4.9.0rc1

Armando Neto (1)

  • ipatests: Bump PR-CI templates commit

Alexander Bokovoy (5)

  • Become FreeIPA 4.9.0rc2 commit
  • Update contributors commit
  • freeipa.spec.in: unify spec files across upstream RHEL, and Fedora commit
  • ad trust: accept subordinate domains of the forest trust root commit #8554
  • util: Fix client-only build commit #8587

Antonio Torres Moríñigo (1)

  • ipa-client-install manpage: add ipa.p11-kit to list of files created commit #8424

Florence Blanc-Renaud (2)

  • ipatests: fix TestTrust::test_subordinate_suffix commit #8601
  • Always define the path DNSSEC_OPENSSL_CONF commit #8597

Mark Reynolds (1)

  • Accept 389-ds JSON replication status messages commit #7975

Mohammad Rizwan (1)

  • ipatests: Test certmonger IPA responder switched to JSONRPC commit #3299

Rob Crittenden (25)

  • Skip the ACME mod_md test when the client is in enforcing mode commit #8514
  • Increase timeout for krbtpolicy to 4800 commit #8589
  • Enable the ccache sweep systemd timer commit #8589
  • ipatests: test that stale caches are removed using the sweeper commit #8589
  • Generate a unique cache for each connection commit #8589
  • Convert reset_to_default_policy into a pytest fixture commit #8589
  • VERSION: back to git snapshots commit
  • ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect commit #8595
  • Allow Apache to answer to ipa-ca requests without a redirect commit #8595
  • Move where the restore state is marked during IPA server upgrade commit #7534
  • Reorder when ACME is enabled to fix failure on upgrade commit #8603
  • Remove test for minimum ACME support and rely on package deps commit
  • Require PKI 10.10+ for KRA profile and ACME support commit #8524, #8545
  • Test that the KRA profiles can renewal its three certificates commit #8545
  • Change KRA profiles in certmonger tracking so they can renew commit #8545
  • ipatests: Increase timeout for ACME in gating.yaml commit #8581
  • ipatests: honor class inheritance in TestACMEwithExternalCA commit #8581
  • ipatests: configure MDStoreDir for mod_md ACME test commit #8581
  • ipatests: Clean up existing ACME registration and certs commit #8581
  • ipatests: Configure a replica in TestACMEwithExternalCA commit #8581
  • ipatests: call the CALess install method to generate the CA commit #8581
  • ipatests: Test that Match ProxyCommand masks on no shell exec commit #7676
  • Create IPA ssh client configuration and move ProxyCommand commit #7676
  • ipatests: Test that ipa-certupdate can run without credentials commit #8531
  • Use host keytab to obtain credentials needed for ipa-certupdate commit #8531

Robbie Harwood (1)

Sudhir Menon (2)

  • ipatests: support subordinate upn suffixes commit
  • ipatests: Tests for ipahealthcheck.ds.nss_ssl commit