The FreeIPA team is proud to announce FreeIPA v4.0.2!

It can be downloaded from The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository.

Highlights in 4.0.2#


  • TOTP watermark support was added. The last token interval is now being added to database and replicated in FreeIPA realm. Note that the number of writes is kept the same as an unnecessary LDAP write was eliminated.

  • Effective Attributes widget in the Add Permission Web UI page was improved

  • ipa-csreplica-manage can now set CA renewal master

  • trust-add is now capable of ensuring conditions for a Trust are met prior to establishing it in complex environments (e.g. only adding trust via AD DC with a PDC role in a forest root domain, falling back when no closest AD DC is available for the local site)

Bug fixes#

  • Server installation with certificates signed by external CA could crash with IndexError

  • ipa-client-install could add duplicate “sss” to /etc/nsswitch.conf when configuring sudo

  • ipa-client-install crashed when non-zero minSSF was set on FreeIPA server

  • Installers and helper tools now communicate with certmonger via its DBUS API instead of manipulating its configuration files, fixing the related intermittent uninstallation failures

  • idrange-* commands no longer allow unsupported range types (ipa-ad-winsync, ipa-ipa-trust)

  • user-add no longer fails when –user-auth-type is specified

  • Entries in Schema Compatibility tree are now accessible anonymously by default to aid legacy clients.

Known Issues#

  • The Directory Server may crash during install due to 389-ds bug 47889.

  • Enumeration in SSSD may fail due to 389-ds bug 47885.

  • Zone removal may misbehave due to a bind-dyndb-ldap bug. If FreeIPA is used to manage DNS root zones, bind-dyndb-ldap 5.1 or higher is recommended. Bind-dyndb-ldap 5.2 was built for Fedora 20, 21, rawhide.


An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

# ipa-ldap-updater --upgrade
# ipa-upgradeconfig

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 4.0.1#

Alexander Bokovoy (5)#

  • ipaserver/ if search of a closest GC failed, try to find any GC

  • ipaserver/ make PDC discovery more robust

  • ipaserver/ Avoid hitting issue with transitive trusts on Windows Server prior to 2012

  • ipaserver/ be more open to what domains can be seen through the forest trust

  • ipaserver/ Make sure trust is established only to forest root domain

David Kupka (7)#

  • Fix group-remove-member crash when group is removed from a protected group

  • test group: remove group from protected group.

  • Verify otptoken timespan is valid

  • Add record(s) to /etc/host when IPA is configured as DNS server.

  • Use certmonger D-Bus API instead of messing with its files.

  • Do not restart apache server when not necessary.

  • Allow user to force Kerberos realm during installation.

Gabe (1)#

  • ipa trust-add command should be interactive

Jakub Hrozek (1)#

  • CLIENT: Explicitly require python-backports-ssl_match_hostname

Jan Cholasta (11)#

  • Check if /root/ipa.csr exists when installing server with external CA.

  • Exclude attributelevelrights from –raw result processing in baseldap.

  • Add test for baseldap.entry_to_dict.

  • Convert external CA chain to PKCS#7 before passing it to pkispawn.

  • Allow changing CA renewal master in ipa-csreplica-manage.

  • Add method for setting CA renewal master in LDAP to CAInstance.

  • Pick new CA renewal master when deleting a replica.

  • Normalize external CA cert before passing it to pkispawn

  • Add new NSSDatabase method get_cert for getting certs from NSS databases.

  • Make CA-less ipa-server-install option –root-ca-file optional.

  • Backup CS.cfg before modifying it

Martin Bašti (7)#

  • Fix DNS upgrade plugin should check if DNS container exists

  • FIX: named_enable_dnssec should verify if DNS is installed

  • Allow to add host if AAAA record exists

  • Tests: host tests with dns

  • Fix dnsrecord-mod raise error if last record attr is removed

  • FIX DNS wildcard records (RFC4592)

  • Tests: DNS wildcard records

Martin Košek (2)#

  • Do not crash client basedn discovery when SSF not met

  • ipa-adtrust-install does not re-add member in adtrust agents group

Nathaniel McCallum (1)#

  • Ensure ipaUserAuthTypeClass when needed on user creation

Petr Viktorin (8)#

  • Update API.txt

  • test_ipagetkeytab: Fix assertion in negative test

  • Add python-backports-ssl_match_hostname to BuildRequires

  • permission plugin: Make –target available in the CLI

  • permission plugin: Improve description of the target option

  • Add managed read permissions for compat tree

  • Fix: Add managed read permissions for compat tree and operational attrs

  • Become IPA 4.0.2

Petr Voborník (10)#

  • webui: support wildcard attribute level rights

  • webui: fix nested items creation in dropdown list

  • webui: internet explorer fixes

  • webui: detach facet nodes

  • webui: replace action_buttons with action_widget

  • webui: remove remaining action-button-disabled occurrences

  • webui-ci: fix reset password check

  • webui: better error reporting

  • webui-ci: fix table widget add

  • webui: extract complex pkey on Add and Edit

Rob Crittenden (1)#

  • No longer generate a machine certificate on client installs

Stephen Gallagher (1)#

  • Change BuildRequires for Java

Tomáš Babej (3)#

  • ipalib: idrange: Make non-implemented range types fail the validation

  • ipatests: test_trust: Add test to cover lookup of trusdomains

  • ipa-client-install: Do not add already configured sources to nsswitch.conf entries