The FreeIPA team is proud to announce version FreeIPA v3.0.0.
It can be downloaded from http://www.freeipa.org/page/Downloads.
A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works well in Fedora 17 but we will not be providing a build in the Fedora 17 following Fedora’s policy of not moving forward with releases.
There is a known issue installing a replica with a dogtag CA in Fedora 18. We are continuing to investigate. Non-CA replica installation is fine, and upgrading a replica with a CA is unaffected.
FreeIPA will be participating in a Fedora 18 Test Day next Monday, October 15. For details see http://fedoraproject.org/wiki/Test_Day:2012-10-15_FreeIPA
Highlights in 3.0.0#
Support for AD Trust
Per-domain DNS permissions
DNS persistent search enabled by default, new zones are seen immediately
New DNS resolver library
Migration improvements
The last administrator cannot be removed or disabled
Forms-based password reset
Redesigned action panels in UI
Sessions for command-line users
Tool to configure automount client, ipa-client-automount
NTLM password hash is generated for existing users on first use of IPA cross-realm environment based on their Kerberos keys without requiring a password change.
Secure identifiers compatible with Active Directory are generated automatically for existing users upon set up of IPA cross-realm environment.
Use certmonger to renew CA subsystem certificates
Support for DNS zone transfers to non-IPA slaves
Internal change to LDAP Distinguished Name handling to be more robust
Better support for Internet Explorer 9 in the UI
Allow multiple servers on client install command-line and configuring without DNS discovery.
Cooperate with new 389-ds-base winsync POSIX plugin so that AD POSIX attribute can be synced with IPA.
Improvements to schema upgrade process.
Exclude some attributes from replication.
Notify success on add, delete and update in UI.
Set the e-mail attribute on new users by default.
SSH public key format has been changed to OpenSSH-style public keys.
Support for the Dogtag CA version 10
New ipa-client-install option to disable OpenSSH client configuration.
Expand Referential Integrity checks on hosts, SUDO and HBAC rule referential attributes
Run the CLEANALLRUV task when deleting a replication agreement to remove replication meta-data about removed master. See the ipa-replica-manage man page for the list of new commands related to CLEANALLRUV command.
Try to prevent orphaning other servers when deleting a master.
Add missing indices for automount and principal aliases which will improve performance.
Provide a new Firefox extension for configuring the browser. Firefox 15 deprecated the interface we used in the past to set the Kerberos negotiation directives. This new extension will be used on Firefox 15 and beyond, and the older interface for older browsers.
Man page improvements
A SID can be created as the last step of ipa-adtrust-install.
Create a default fallback group for AD trust users.
Support for 389-ds-base 1.3.0.
Move CRL publish directory to IPA owned directory
Add uniqueness plugin configuration for sudorule names.
The initial IPA server with a dogtag CA is configured to generate CRLs. Subsequent masters are configured to not generate CRLs. The CRL is available on a non-generating master at http://fqdn.example.com/ipa/crl/MasterCRL.bin.
Upgrading#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel
Detailed Changelog since 3.0.0 rc2#
Alexander Bokovoy (7):
support multi-line error messages in exceptions
Handle NotFound exception when establishing trust
Fix wrong RID for Domain Admins in the examples of trust commands
Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Make sure samba{,4}-winbind-krb5-locator package is not used with trusts
Add instructions support to PublicError
Use PublicError instructions support for trust-add case when domain is not found
Jan Cholasta (1):
Do not show full SSH public keys in command output by default.
Martin Kosek (3):
Minor fixes for default SMB group
Move CRL publish directory to IPA owned directory
Fix CA CRL migration crash in ipa-upgradeconfig
Petr Viktorin (4):
ipa-upgradeconfig: Remove the upgrade_httpd_selinux function
replica-install: Don’t copy Firefox config extension files if they’re not in the replica file
Create Firefox extension on upgrade and replica-install
Pull translation files from Transifex
Petr Vobornik (1):
Add mime type to httpd ipa.conf for xpi exetension
Rob Crittenden (6):
Add uniqueness plugin configuration for sudorule cn
Set renewal time for the CA audit certificate to 720 days.
Fix CS replication management.
Configure the initial CA as the CRL generator.
Explicitly disable betxn plugins for the time being.
Become IPA 3.0.0
Simo Sorce (2):
Fix trust attributes for ipa trust-add
Use stricter requirement for krb5-server
Sumit Bose (2):
ipa-adtrust-install: create fallback group with ldif file
ipadb: reload trust information if domain is not known
Tomas Babej (1):
Notify user about necessary ports in ipa-client-install