The FreeIPA team is proud to announce FreeIPA v3.3.1!
This is a bugfix release.
It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 builds are already on their way to updates-testing repo.
Highlights in 3.3.1#
Bug fixes#
ipa-server-certinstall now works correctly both with a CA subsystem and in CA-less installations
The –subject option in ipa-server-install is now handled correctly
During installation, directory server tuning is performed correctly on sysV and systemd systems
During installation, the CA service is stopped during configuration file changes to prevent race conditions
Test improvements#
Integration tests for CA-less installation, Kerberos flags, and related Web UI parts were added to the test suite
Test suite now passes after ipa-adtrust-install
Upgrading#
FreeIPA servers with CA installed prior to version 3.1#
Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1. Please see http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration for details.
Other FreeIPA servers and clients#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:
ipa-upgradeconfig
ipa-ldap-updater –upgrade
Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 3.3.0#
Alexander Bokovoy (1):#
Remove systemd upgrader as it is not used anymore
Ana Krivokapic (4):#
Handle –subject option in ipa-server-install
Fix broken replica installation
Add integration tests for Kerberos Flags
Fix tests which fail after ipa-adtrust-install
Jakub Hrozek (1):#
EXTDOM: Do not overwrite domain_name for INP_SID
Jan Cholasta (12):#
Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do.
Port ipa-server-certinstall to the admintool framework.
Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.
Ignore empty mod error when updating DS SSL config in ipa-server-certinstall.
Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.
Untrack old and track new cert with certmonger in ipa-server-certinstall.
Add –pin option to ipa-server-certinstall.
Ask for PKCS#12 password interactively in ipa-server-certinstall.
Fix nsSaslMapping object class before configuring SASL mappings.
Add –dirman-password option to ipa-server-certinstall.
Fix ipa-server-certinstall usage string.
Fix service-disable in CA-less install.
Martin Kosek (3):#
Prevent *.pyo and *.pyc multilib problems
Remove rpmlint warnings in spec file
Fix selected minor issues in the spec file and license
Nathaniel McCallum (1):#
Bypass ipa-replica-conncheck ssh tests when ssh is not installed
Petr Viktorin (4):#
Allow freeipa-tests to work with older paramiko versions
Add missing license header to ipa-test-config
Add CA-less install tests
Add man pages for testing tools
Petr Vobornik (7):#
Removal of deprecated selenium tests
Add base-id, range-size and range-type options to trust-add dialog
Hide ‘New Certificate’ action on CA-less install
Web UI integration tests: CA-less
Web UI Integration tests: Kerberos Flags
Web UI integration tests: ID range types
Update idrange search facet after trust creation
Rob Crittenden (1):#
Re-order NULL check in ipa_lockout.
Simo Sorce (3):#
pwd-plugin: Fix ignored return error
kdb-mspac: Fix out of bounds memset
kdb-princ: Fix memory leak
Sumit Bose (1):#
CLDAP: make sure an empty reply is returned on any error
Tomas Babej (6):#
Remove support for IPA deployments with no persistent search
Remove redundant shebangs
Perform dirsrv tuning at platform level
Make CS.cfg edits with CA instance stopped
Fix incorrect error message occurence when re-adding the trust
Log proper error message when defaultNamingContext not found