The FreeIPA team is proud to announce version FreeIPA v3.1.3.

It can be downloaded from

This release includes backport of selected (mainly Trust related) features from upcoming FreeIPA 3.2.0 release. The following 3.1.x releases will contain primarily bugfixes only.

Highlights in 3.1.3#

New features#

  • New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page.

  • New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install)

  • New realmdomains-show and realmdomains-mod command. Manage list of domains managed by FreeIPA server. The list will be used in future releases to inform trusted domain about domains managed by FreeIPA. This feature is available both as a CLI command and Web UI page.

  • Support trusted domain users in HBAC test command (hbactest command).

  • Allow filtering incoming trusted domain SIDs per-trust (trust-mod command).

  • Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format.

Bug fixes#

  • Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances.

  • Migration process is now also a lot faster and provides more debug output (to httpd error log).

  • SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance.

  • Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release

  • Fixed server installation with external CA (–external-ca)

  • Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help)

  • … and many others stabilization fixes, see Detailed changelog for full details


An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list:

Detailed Changelog since 3.1.2#

Alexander Bokovoy (2):

  • ipasam: use base scope when fetching domain information about own domain

  • Process exceptions when talking to Dogtag

Ana Krivokapic (6):

  • Take into consideration services when deleting replicas

  • Add list of domains associated to our realm to cn=etc

  • Remove check for alphabetic only characters from domain name validation

  • Fix internal error for ipa show-mappings

  • Realm Domains page

  • Use default NETBIOS name in unattended ipa-adtrust-install

Jakub Hrozek (1):

  • Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir

Jan Cholasta (6):

  • Pylint cleanup.

  • Raise ValidationError on invalid CSV values.

  • Run interactive_prompt callbacks after CSV values are split.

  • Fix remove while iterating in suppress_netgroup_memberof.

  • Remove disabled entries from sudoers compat tree.

  • Fix internal error in output_for_cli method of sudorule_{enable,disable}.

Martin Kosek (33):

  • Fix migration for openldap DS

  • Remove unused krbV imports

  • Use fully qualified CCACHE names

  • Fix permission_find test error

  • Add trusconfig-show and trustconfig-mod commands

  • ipa-kdb: add sentinel for LDAPDerefSpec allocation

  • ipa-kdb: avoid ENOMEM when all SIDs are filtered out

  • ipa-kdb: reinitialize LDAP configuration for known realms

  • Add SID blacklist attributes

  • ipa-kdb: read SID blacklist from LDAP

  • ipa-sam: Fill SID blacklist when trust is added

  • ipa-adtrust-install should ask for SID generation

  • Test NetBIOS name clash before creating a trust

  • Generalize AD GC search

  • Do not hide SID resolver error in group-add-member

  • Add support for AD users to hbactest command

  • Fix hbachelp examples formatting

  • ipa-kdb: remove memory leaks

  • ipa-kdb: fix retry logic in ipadb_deref_search

  • Add autodiscovery section in ipa-client-install man pages

  • Avoid internal error when user is not Trust admin

  • Use fixed test domain in realmdomains test

  • Remove ORDERING for IA5 attributeTypes

  • Fix includedir directive in krb5.conf template

  • Preserve order of servers in ipa-client-install

  • Avoid multiple client discovery with fixed server list

  • Fix client discovery crash

  • ipa-client discovery with anonymous access off

  • Use temporary CCACHE in ipa-client-install

  • Improve client install LDAP cert retrieval fallback

  • Configure ipa_dns DS plugin on install and upgrade

  • Bump selinux-policy requires

  • Become 3.1.3

Petr Spacek (1):

  • Add 389 DS plugin for special idnsSOASerial attribute handling

Petr Viktorin (23):

  • Add the CA cert to LDAP after the CA install

  • Port ipa-replica-prepare to the admintool framework

  • Don’t add another nsDS5ReplicaId on updates if one already exists

  • Improve `ipa –help` output

  • Print help to stderr on error

  • Store the OptionParser in the API, use it to print unified help messages

  • Simplify `ipa help topics` output

  • Add command summary to `ipa COMMAND –help` output

  • Mention `ipa COMMAND –help` as the preferred way to get command help

  • Parse command arguments before creating a context

  • Add tests for the help command & –help options

  • In topic help text, mention how to get help for commands

  • Check SSH connection in ipa-replica-conncheck

  • Use ipauniqueid for the RDN of sudo commands

  • Prevent a sudo command from being deleted if it is a member of a sudo rule

  • Update sudocmd ACIs to use targetfilter

  • Add the version option to all Commands

  • Add ipalib.messages

  • Add client capabilities, enable messages

  • Rename the “messages” Output of the i18n_messages command to “texts”

  • Fix permission validation and normalization in

  • cli: Do interactive prompting after a context is created

  • Fix installing server with external CA

Petr Vobornik (36):

  • Make confirm_dialog a base class of revoke and restore certificate dialogs

  • Make confirm_dialog a base class for deleter dialog

  • Make confirm_dialog a base class for message_dialog

  • Confirm mixin

  • Confirm adder dialog by enter

  • Confirm error dialog by enter

  • Focus last dialog when some is closed

  • Confirm association dialogs by enter

  • Standardize login password reset, user reset password and host set OTP dialogs

  • Focus first input element after ‘Add and Add another’

  • Enable mod_deflate

  • Use Uglify.js for JS optimization

  • Dojo Builder

  • Config files for builder of FreeIPA UI layer

  • Minimal Dojo layer

  • Web UI development environment directory structure and configuration

  • Web UI Sync development utility

  • Move of Web UI non AMD dep. libs to libs subdirectory

  • Move of core Web UI files to AMD directory

  • Update JavaScript Lint configuration file

  • AMD config file

  • Change Web UI sources to simple AMD modules

  • Updated makefiles to build FreeIPA Web UI layer

  • Change tests to use AMD loader

  • Fix BuildRequires: rhino replaced with java-1.7.0-openjdk

  • Develop.js extended

  • Allow to specify modules for which builder doesn’t raise dependency error

  • Web UI build profile updated

  • Combobox keyboard support

  • Fix dirty state update of editable combobox

  • Fix handling of no_update flag in Web UI

  • Web UI: configurable SID blacklists

  • Web UI:Certificate pages

  • Web UI:Choose different search option for cert-find

  • Added Web UI support for service PAC type option: NONE

  • Load extension.js after UI AMD modules.

Rob Crittenden (10):

  • Make certmonger a (pre) requires on server, restart it before upgrading

  • Use new certmonger locking to prevent NSS database corruption.

  • Better logging for AdminTool and ipa-ldap-updater

  • Improve migration performance

  • Add LDAP server fallback to client installer

  • Prevent a crash when no entries are successfully migrated.

  • Implement the cert-find command for the dogtag CA backend.

  • Add missing v3 schema on upgrades, fix typo in schema.

  • Don’t base64-encode the CA cert when uploading it during an upgrade.

  • Improve some error handling in ipa-replica-manage

Sumit Bose (7):

  • ipa-kdb: remove unused variable

  • ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()

  • ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()

  • ipa-kdb: Dereference after null check in ipa_kdb_mspac.c

  • ipa-lockout: Wrong sizeof argument in ipa_lockout.c

  • ipa-extdom: Double-free in ipa_extdom_common.c

  • ipa-pwd: Unchecked return value ipapwd_chpwop()

Tomas Babej (13):

  • Fix a typo in ipa-adtrust-install help

  • Prevent integer overflow when setting krbPasswordExpiration

  • Add option to specify SID using domain name to idrange-add/mod

  • Prevent changing protected group’s name using –setattr

  • Use default.conf as flag of IPA client being installed

  • Make sure appropriate exit status is returned in make-test

  • Make options checks in idrange-add/mod consistent

  • Add trusted domain range objectclass when using idrange-mod

  • Perform secondary rid range overlap check for local ranges only

  • Make sure uninstall script prompts for reboot as last

  • Remove implicit Str to DN conversion using *-attr

  • Enforce exact SID match when adding or modifying a ID range

  • Add logging to join command

sbose (1):

  • ipa-kdb: Free talloc autofree context when module is closed