The FreeIPA team is proud to announce version FreeIPA v3.0.0.

It can be downloaded from

A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works well in Fedora 17 but we will not be providing a build in the Fedora 17 following Fedora’s policy of not moving forward with releases.

There is a known issue installing a replica with a dogtag CA in Fedora 18. We are continuing to investigate. Non-CA replica installation is fine, and upgrading a replica with a CA is unaffected.

FreeIPA will be participating in a Fedora 18 Test Day next Monday, October 15. For details see

Highlights in 3.0.0#

  • Support for AD Trust

  • Per-domain DNS permissions

  • DNS persistent search enabled by default, new zones are seen immediately

  • New DNS resolver library

  • Migration improvements

  • The last administrator cannot be removed or disabled

  • Forms-based password reset

  • Redesigned action panels in UI

  • Sessions for command-line users

  • Tool to configure automount client, ipa-client-automount

  • NTLM password hash is generated for existing users on first use of IPA cross-realm environment based on their Kerberos keys without requiring a password change.

  • Secure identifiers compatible with Active Directory are generated automatically for existing users upon set up of IPA cross-realm environment.

  • Use certmonger to renew CA subsystem certificates

  • Support for DNS zone transfers to non-IPA slaves

  • Internal change to LDAP Distinguished Name handling to be more robust

  • Better support for Internet Explorer 9 in the UI

  • Allow multiple servers on client install command-line and configuring without DNS discovery.

  • Cooperate with new 389-ds-base winsync POSIX plugin so that AD POSIX attribute can be synced with IPA.

  • Improvements to schema upgrade process.

  • Exclude some attributes from replication.

  • Notify success on add, delete and update in UI.

  • Set the e-mail attribute on new users by default.

  • SSH public key format has been changed to OpenSSH-style public keys.

  • Support for the Dogtag CA version 10

  • New ipa-client-install option to disable OpenSSH client configuration.

  • Expand Referential Integrity checks on hosts, SUDO and HBAC rule referential attributes

  • Run the CLEANALLRUV task when deleting a replication agreement to remove replication meta-data about removed master. See the ipa-replica-manage man page for the list of new commands related to CLEANALLRUV command.

  • Try to prevent orphaning other servers when deleting a master.

  • Add missing indices for automount and principal aliases which will improve performance.

  • Provide a new Firefox extension for configuring the browser. Firefox 15 deprecated the interface we used in the past to set the Kerberos negotiation directives. This new extension will be used on Firefox 15 and beyond, and the older interface for older browsers.

  • Man page improvements

  • A SID can be created as the last step of ipa-adtrust-install.

  • Create a default fallback group for AD trust users.

  • Support for 389-ds-base 1.3.0.

  • Move CRL publish directory to IPA owned directory

  • Add uniqueness plugin configuration for sudorule names.

  • The initial IPA server with a dogtag CA is configured to generate CRLs. Subsequent masters are configured to not generate CRLs. The CRL is available on a non-generating master at


An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-devel mailing list:

Detailed Changelog since 3.0.0 rc2#

Alexander Bokovoy (7):

  • support multi-line error messages in exceptions

  • Handle NotFound exception when establishing trust

  • Fix wrong RID for Domain Admins in the examples of trust commands

  • Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install

  • Make sure samba{,4}-winbind-krb5-locator package is not used with trusts

  • Add instructions support to PublicError

  • Use PublicError instructions support for trust-add case when domain is not found

Jan Cholasta (1):

  • Do not show full SSH public keys in command output by default.

Martin Kosek (3):

  • Minor fixes for default SMB group

  • Move CRL publish directory to IPA owned directory

  • Fix CA CRL migration crash in ipa-upgradeconfig

Petr Viktorin (4):

  • ipa-upgradeconfig: Remove the upgrade_httpd_selinux function

  • replica-install: Don’t copy Firefox config extension files if they’re not in the replica file

  • Create Firefox extension on upgrade and replica-install

  • Pull translation files from Transifex

Petr Vobornik (1):

  • Add mime type to httpd ipa.conf for xpi exetension

Rob Crittenden (6):

  • Add uniqueness plugin configuration for sudorule cn

  • Set renewal time for the CA audit certificate to 720 days.

  • Fix CS replication management.

  • Configure the initial CA as the CRL generator.

  • Explicitly disable betxn plugins for the time being.

  • Become IPA 3.0.0

Simo Sorce (2):

  • Fix trust attributes for ipa trust-add

  • Use stricter requirement for krb5-server

Sumit Bose (2):

  • ipa-adtrust-install: create fallback group with ldif file

  • ipadb: reload trust information if domain is not known

Tomas Babej (1):

  • Notify user about necessary ports in ipa-client-install