The FreeIPA team is proud to announce FreeIPA v3.3.0 Beta 1.
Important: please see section Upgrading before upgrading the packages, a manual procedure is needed for FreeIPA servers with CA originally installed with FreeIPA version prior to 3.1.
Highlights in 3.3 beta 1#
New features for 3.3#
Active Directory integration:
Support of externally defined POSIX attributes for Active Directory trusted domains
Automatic discovery of Active Directory identity mapping configuration
Support of trusted domain users for legacy clients
Identity mapping for AD users can now be delegated
Performance improvements in processing large number of users and groups
Automated integration testing infrastructure
ipa-advise utility is added to generate client setup advice based on an IPA master configuration
FreeIPA-specific SELinux policies has been merged to the main SELinux policy in Fedora 19
SSSD 1.11 is required
Active Directory integration#
Starting with FreeIPA 3.3, it is possible to define identity ranges for a trusted Active Directory domain that rely on POSIX attributes provided by AD DC instead of generating them out of corresponding security identifiers. This functionality requires Services for Unix (SFU) or Identity Management for UNIX enabled on Active Directory side and is provided mostly to aid with migration to SID-based mapping.
In order to support externally defined POSIX attributes, identity ranges have been extended to support new range types:
AD trust with SID-based mapping: ‘ipa-ad-trust’ (default)
SFU support: ‘ipa-ad-trust-posix’
‘ipa-ad-trust-posix’ range type is activated when range discovery finds out SFU is in use by Active Directory domain. To override automatic detection, –range-type=ipa-ad-trust can be specified to ‘ipa trust-add’ command.
FreeIPA 3.3 requires SSSD 1.11 on the IPA master in order to support externally defined POSIX attributes in AD.
FreeIPA 3.3 provides a new way to enable legacy clients to support trusted domain users. A compatibility tree, provided by slapi-nis, can now be configured to look up trusted domain users and handle authentication for them. This functionality relies on SSSD 1.11 and an experimental patch for slapi-nis. One can enable legacy clients support by running ipa-adtrust-install and answering positively to the corresponding question.
Finally, SSSD 1.11 is used to query identity information about trusted domains’ users from within IPA framework, including SID to name and name to SID resolution. In addition to speed improvements, FreeIPA 3.3 allows to manage mappings for trusted domains’ users without requiring elevated privileges of ‘trust admins’.
When acting on large datasets, FreeIPA now reduces number of potential read roundtrips required to update user and group information. When scaled to thousands of users and groups, this shortens the time required by certain operations tenfold.
Automated testing infrastructure#
The FreeIPA team has been providing self-testing code for a long time.
The FreeIPA 3.3 test suite includes a framework for integration tests that verify functionality such as replication across several machines. Tests can be run manually, or by test automation servers such as Jenkins or Beaker.
Development builds now create a freeipa-tests RPM containing the test suite and related tools. However, as the focus is on testing development code, this package will not be released to Fedora yet.
More details: http://www.freeipa.org/page/V3/Integration_testing
Additionally, it is now possible to run Web UI tests through the test suite.
More details: http://www.freeipa.org/page/Web_UI_Integration_Tests
IPA advise tool#
FreeIPA 3.3 introduces new framework to generate recipes of configuration based on how IPA master is configured. These recipes can be taken to the target client systems and used there to configure them for a specific task.
We expect to expand use of ‘ipa-advise’ tool to cover at least configuration of legacy systems in subsequent releases. Contributions are always welcome to grow capabilities of ‘ipa-advise’ tool to other areas.
SELinux policies specific to FreeIPA have been merged back to the main SELinux policy package in Fedora 19. Starting with FreeIPA 3.2.2 (available in Fedora 19 updates) SELinux policy is no londer provided by freeipa-selinux package and the package is removed in favor of selinux-policy package.
SSSD 1.11 is required#
FreeIPA 3.3 depends on SSSD 1.11 for cross-realm trusts with Active Directory. In particular, FreeIPA 3.3 depends on a new operational mode of SSSD called ‘ipa_server_mode’. Thus, SSSD 1.11 is required for FreeIPA 3.3.
FreeIPA servers with CA installed prior to version 3.1#
Other FreeIPA servers and clients#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note, that the performance improvements requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 3.2.0#
Alexander Bokovoy (8):#
Fix cldap parser to work with a single equality filter (NtVer=…)
Make sure domain_name is also set when processing INP_NAME requests
Fix extdom plugin to provide unqualified name in response as sssd expects
Generate syntethic MS-PAC for all services running on IPA master
ipa-adtrust-install: configure compatibility tree to serve trusted domain users
ipa-kdb: cache KDC hostname on startup
ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case
ipaserver/dcerpc: attempt to resolve SIDs through SSSD first
Ana Krivokapic (21):#
Prompt for nameserver IP address in dnszone-add
Do not display success message on failure in web UI
Ignore files generated by build
Deprecate options –dom-sid and –dom-name in idrange-mod
Prevent error when running IPA commands with su/sudo
Fix displaying of success message
Fix location of service.crt in .gitignore
Improve handling of options in ipa-client-install
Fail when adding a trust with a different range
Do not display traceback to user
Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install
Fix bug in adtrustinstance
Use correct DS instance in ipactl status
Avoid systemd service deadlock during shutdown
Make sure replication works after DM password is changed
Use –ignore-dependencies only when necessary
Properly handle non-existent cert files
Add ‘ipa_server_mode’ option to SSSD configuration
Bump version of sssd in spec file
Use admin@REALM when testing if SSSD is ready
Fix internal error in idrange-add
Diane Trout (1):#
Fix log format not a string literal.
Jakub Hrozek (3):#
Remove unused variable
IPA KDB MS-PAC: return ENOMEM if allocation fails
IPA KDB MS-PAC: remove unused variable
Jan Cholasta (21):#
Use the correct PKCS#12 file for HTTP server.
Remove stray error condition in ipa-server-install.
Handle exceptions gracefully when verifying PKCS#12 files.
Skip empty lines when parsing pk12util output.
Do not allow installing CA replicas in CA-less setup.
Do not track DS certificate in CA-less setup.
Fix CA-less check in ipa-replica-install and ipa-ca-install.
Do not skip SSSD known hosts in ipa-client-install –ssh-trust-dns.
Enable SASL mapping fallback.
Skip cert issuer validation in service and host commands in CA-less install.
Check trust chain length in CA-less install.
Use LDAP search instead of *group_show to check if a group exists.
Use LDAP search instead of *group_show to check for a group objectclass.
Use LDAP modify operation directly to add/remove group members.
Add missing substring indices for attributes managed by the referint plugin.
Add missing equality index for ipaUniqueId.
Run gpg-agent explicitly when encrypting/decrypting files.
Add new hidden command option to suppress processing of membership attributes.
Ask for PKCS#12 password interactively in ipa-server-install.
Ask for PKCS#12 password interactively in ipa-replica-prepare.
Print newline after receiving EOF in installutils.read_password.
Lukas Slebodnik (1):#
Use pkg-config to detect cmocka
Martin Kosek (11):#
Set KRB5CCNAME so that dirsrv can work with newer krb5-server
Handle DIR type CCACHEs in test_cmdline properly
Avoid exporting KRB5_KTNAME in dirsrv env
Remove redundant u’’ character
Drop SELinux subpackage
Drop redundant directory /var/cache/ipa/sessions
Remove entitlement support
Run server upgrade and restart in posttrans
Require new selinux-policy replacing old server-selinux subpackage
Bump minimum SSSD version
Become 3.3.0 Beta 1
Nathaniel McCallum (10):#
Add ipaUserAuthType and ipaUserAuthTypeClass
Add IPA OTP schema and ACLs
ipa-kdb: Add OTP support
Add the krb5/FreeIPA RADIUS companion daemon
Remove unnecessary prefixes from ipa-pwd-extop files
Add OTP support to ipa-pwd-extop
Fix client install exception if /etc/ssh is missing
Permit reads to ipatokenRadiusProxyUser objects
Fix for small syntax error in OTP schema
Use libunistring ulc_casecmp() on unicode strings
Petr Spacek (1):#
ipa-client-install: Add ‘debug’ and ‘show’ statements to nsupdate commands
Petr Viktorin (21):#
Remove leading zero from IPA_NUM_VERSION
Relax getkeytab test to allow additional messages on stderr
Remove code to install Dogtag 9
Flush stream after writing service messages
Make an ipa-tests package
Add ipa-run-tests command
Add Nose plugin for BeakerLib integration
Add a plugin for test ordering
Add a framework for integration test configuration
Add a framework for integration testing
Introduce a class for remote commands
Collect logs from tests
Show logs in failed tests
tests: Allow public keys for authentication to the remote machines
tests: Configure/unconfigure remote hosts
Host class improvements
Use dosctrings in BeakerLib phase descriptions
Make BeakerLib logging less verbose
BeakerLib plugin: Log http links in test docstrings
Integration test config: Make it possible to specify host IP
ipa-client: Use “ipa” as the package name for i18n
Petr Vobornik (18):#
Fix: HBAC Test tab is missing
Move spec modifications from facet factories to pre_ops
Unite and move facet pre_ops to related modules
Web UI: move ./_base/metadata_provider.js to ./metadata.js
Regression fix: missing control buttons in nested search facets
Make ssbrowser.html work in IE 10
Fix regression: missing facet tab group labels
Regression fix: rule table with ext. member support doesn’t offer any items
Fix default value selection in radio widget
Do not redirect to https in /ipa/ui on non-HTML files
Create Firefox configuration extension on CA-less install
Disable checkboxes and radios for readonly attributes
Better automated test support
Fix container element in adder dialogs
Upstream Web UI tests
Web UI search optimization
Break long words in notification area
Remove word ‘field’ from GECOS param label
Rob Crittenden (4):#
Bump version for development branch to 3.2.99
Return the correct Content-type on negotiated XML-RPC requests.
Add Camellia ciphers to allowed list.
Hide sensitive attributes in LDAP updater logging and output
Simo Sorce (2):#
CLDAP: Fix domain handling in netlogon requests
CLDAP: Return empty reply on non-fatal errors
Sumit Bose (5):#
Fix format string typo
Fix type of printf argument
Add PAC to master host TGTs
extdom: replace winbind calls with POSIX/SSSD calls
Remove winbind client configure check
Tomas Babej (22):#
Remove redundancy from hbactest help text
Do not translate trust type and direction with –raw in trust_show and trust-find
Support multiple local domain ranges with RID base set
Do not allow removal of ID range of an active trust
Use private ccache in ipa install tools
Remove redundant check for env.interactive
Add prompt_param method to avoid code duplication
Incorporate interactive prompts in idrange-add
Do not check userPassword with 7-bit plugin
Manage ipa-otpd.socket by IPA
Add ipaRangeType attribute to LDAP Schema
Add update plugin to fill in ipaRangeType attribute
Extend idrange commands to support new range origin types
PEP8 fixes in idrange.py
Remove hardcoded values from idrange plugin tests
Return ipaRangeType as a list in idrange commands
Do not redirect ipa/crl to HTTPS
Add –range-type option that forces range type of the trusted domain
Add libsss_nss_idmap-devel to BuildRequires
Change group ownership of CRL publish directory
Provide ipa-advise tool
Use AD LDAP probing to create trusted domain ID range