IPAv2 2190 beta1
The FreeIPA team is proud to announce version 2.1.90 beta 1.This will eventually become FreeIPA v2.2.0.
Builds for Fedora 15 are no longer being provided. Packages that FreeIPA requires are not available in Fedora 15.
Highlights in 2.1.90 beta 1
- Forms-based login. If Kerberos negotiate authentication fails you have the option of logging in using a form using username and password. Or you can go directly to /ipa/ui/login.html if you do not have/cannot get a Kerberos ticket. This is the preferred alternative login mechanism over enabling KrbMethodK5Passwd.
- Logout from the UI
- Support for SSH known-hosts with sssd 1.8.0. This will create a known-hosts file dynamically based on information stored in IPA.
- DNS forwarders now configurable via IPA
- Configurable by DNS zone: query policy, transfer policy, forward and reverse synchronization and forward policy.
- More consistent hostname validation
- Recommendation that the compat plugin be disabled during migration (unnecessary overhead)
- On new installations the default users group, ipausers, is now non-POSIX
We tested upgrades from 2.1.4 successfully but this is beta code. We do not recommend upgrading a production server.
Installing updated rpms is all that is required to upgrade from 2.1.4.
It is unlikely that downgrading to a previous release once 2.1.90 is installed will work.
Upgrading directly from the alpha may work but is untested.
Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel
Detailed Changelog since 2.1.90 beta 1
Jan Cholasta (1):
- Configure SSH features of SSSD in ipa-client-install.
John Dennis (8):
- update translation pot file and PY_EXPLICIT_FILES list
- update po files
- created Transifex resource, adjust tx config file to point to it.
- Tweak the session auth to reflect developer consensus.
- Implement session activity timeout
- Implement password based session login
- Log a message when returning non-success HTTP result
Martin Kosek (21):
- Ease zonemgr restrictions
- Update schema for bind-dyndb-ldap
- Global DNS options
- Query and transfer ACLs for DNS zones
- Add DNS conditional forwarding
- Add API for PTR sync control
- Add gidnumber minvalue
- Add reverse DNS record when forward is created
- Sanitize UDP checks in conncheck
- Add client hostname requirements to man page
- Add SSHFP update policy for existing zones
- Improve dns error message
- Improve dnsrecord-add interactive mode
- Improve hostname and domain name validation
- Improve FQDN handling in DNS and host plugins
- Improve hostname verification in install tools
- Fix typos in ipa-replica-manage man page
- Remove memberPrincipal for deleted replicas
- Fix encoding for setattr/addattr/delattr
- Add help for new structured DNS framework
- Improve dnsrecord interactive help
Ondrej Hamada (3):
- Validate attributes in permission-add
- Migration warning when compat enabled
- ipa-client-install not calling authconfig
Petr Viktorin (6):
- Make ipausers a non-posix group on new installs
- Add extra checking function to XMLRPC test framework
- Add common helper for interactive prompts
- Make sure the nolog argument to ipautil.run is not a bare string
- Use stricter semantics when checking IP address for DNS records
- Use stricter semantics when checking IP address for DNS records
- Use reboot from /sbin
Petr Voborník (18):
- Fixed content type check in login_password
- Improved usability of login dialog
- Removed CSV creation from UI
- Fixed problem when attributes_widget was displaying empty option
- Added missing configuration options
- Static metadata update - new DNS options
- New checkboxes option: Mutual exclusive
- DNS Zone UI: added new attributes
- DNS UI: added A,AAAA create reverse options to adder dialog
- Fixed displaying of A6 Record
- New UI for DNS global configuration
- Multiple fields for one attribute
- Added attrs to permission when target is group or filter
- Moved is_empty method from field to IPA object
- Making validators to return true result if empty
- Fixed DNS record add handling of 4304 error
- Added unsupported_validator
- Fixed redirection in Add and edit in automember hostgroup.
- Fixed selection of single value in combobox
- Added logout button
- Forms based authentication UI
Rob Crittenden (37):
- Limit the change password permission so it can't change admin passwords
- Don't allow "Modify Group membership" permission to manage admins
- Add the -v option to sslget to provide more verbose errors
- Make sure memberof is in replication attribute exclusion list.
- Don't check for schema uniqueness when comparing in ldapupdate.
- Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag
- Don't allow IPA master hosts or important services be deleted.
- Catch public exceptions when creating the LDAP context in WSGI.
- Don't consider virtual attributes when validating custom objectclasses
- Add Requires to ipa-client on oddjob-mkhomedir
- Fix managing winsync replication agreements with ipa-replica-manage
- Check for duplicate winsync agreement before trying to set one up.
- Remove unused kpasswd.keytab and ldappwd files if they exist.
- Make sure 389-ds is running when adding memcache service in upgrade.
- Don't run restorecon if SELinux is disabled or not present.
- Limit allowed characters in a netgroup name to alpha, digit, -, _ and .
- Don't call memberof task when re-initializing a replica.
- Fix bad merge of not calling memberof task when re-initializing a replica
- Add support defaultNamingContext and add --basedn to migrate-ds
- Fix nested netgroups in NIS.
- Warn that deleting replica is irreversible, try to detect reconnection.
- Don't set migrated user's GID to that of default users group.
- Don't delete system users that are added during installation.
- Only apply validation rules when adding and updating.
- subclass HTTP_Status from plugable.Plugin, fix not_found tests
- Make hostnames adhere to new standards in HBAC tests
- Fix WSGI error handling
- Add status command to retrieve user lockout status
- Add support for sudoOrder
- Make hostnames adhere to new standards in hbactest plugin tests
- Fix API.txt and VERSION to reflect new sudoOrder option.
- Add --noac option to ipa-client-install man page
- Do kinit in client before connecting to backend
- Only warn if ipa-getkeytab doesn't get all requested enctypes.
- Fix NSS no_init in the NSSHTTPS class
Simo Sorce (4):
- ipa-kdb: Fix ACL evaluator
- policy: add function to check lockout policy
- ipa-kdb: fix delegation acl check
- Fix ticket checks when using either s4u2proxy or a delegated krbtgt