The FreeIPA team is proud to announce FreeIPA v3.3.1!

This is a bugfix release.

It can be downloaded from Fedora 19 builds are already on their way to updates-testing repo.

Highlights in 3.3.1#

Bug fixes#

  • ipa-server-certinstall now works correctly both with a CA subsystem and in CA-less installations

  • The –subject option in ipa-server-install is now handled correctly

  • During installation, directory server tuning is performed correctly on sysV and systemd systems

  • During installation, the CA service is stopped during configuration file changes to prevent race conditions

Test improvements#

  • Integration tests for CA-less installation, Kerberos flags, and related Web UI parts were added to the test suite

  • Test suite now passes after ipa-adtrust-install


FreeIPA servers with CA installed prior to version 3.1#

Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1. Please see for details.

Other FreeIPA servers and clients#

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

  1. ipa-upgradeconfig

  2. ipa-ldap-updater –upgrade

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 3.3.0#

Alexander Bokovoy (1):#

  • Remove systemd upgrader as it is not used anymore

Ana Krivokapic (4):#

  • Handle –subject option in ipa-server-install

  • Fix broken replica installation

  • Add integration tests for Kerberos Flags

  • Fix tests which fail after ipa-adtrust-install

Jakub Hrozek (1):#

  • EXTDOM: Do not overwrite domain_name for INP_SID

Jan Cholasta (12):#

  • Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do.

  • Port ipa-server-certinstall to the admintool framework.

  • Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.

  • Ignore empty mod error when updating DS SSL config in ipa-server-certinstall.

  • Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.

  • Untrack old and track new cert with certmonger in ipa-server-certinstall.

  • Add –pin option to ipa-server-certinstall.

  • Ask for PKCS#12 password interactively in ipa-server-certinstall.

  • Fix nsSaslMapping object class before configuring SASL mappings.

  • Add –dirman-password option to ipa-server-certinstall.

  • Fix ipa-server-certinstall usage string.

  • Fix service-disable in CA-less install.

Martin Kosek (3):#

  • Prevent *.pyo and *.pyc multilib problems

  • Remove rpmlint warnings in spec file

  • Fix selected minor issues in the spec file and license

Nathaniel McCallum (1):#

  • Bypass ipa-replica-conncheck ssh tests when ssh is not installed

Petr Viktorin (4):#

  • Allow freeipa-tests to work with older paramiko versions

  • Add missing license header to ipa-test-config

  • Add CA-less install tests

  • Add man pages for testing tools

Petr Vobornik (7):#

  • Removal of deprecated selenium tests

  • Add base-id, range-size and range-type options to trust-add dialog

  • Hide ‘New Certificate’ action on CA-less install

  • Web UI integration tests: CA-less

  • Web UI Integration tests: Kerberos Flags

  • Web UI integration tests: ID range types

  • Update idrange search facet after trust creation

Rob Crittenden (1):#

  • Re-order NULL check in ipa_lockout.

Simo Sorce (3):#

  • pwd-plugin: Fix ignored return error

  • kdb-mspac: Fix out of bounds memset

  • kdb-princ: Fix memory leak

Sumit Bose (1):#

  • CLDAP: make sure an empty reply is returned on any error

Tomas Babej (6):#

  • Remove support for IPA deployments with no persistent search

  • Remove redundant shebangs

  • Perform dirsrv tuning at platform level

  • Make CS.cfg edits with CA instance stopped

  • Fix incorrect error message occurence when re-adding the trust

  • Log proper error message when defaultNamingContext not found