The FreeIPA team is proud to announce FreeIPA v4.0.2!
Highlights in 4.0.2#
TOTP watermark support was added. The last token interval is now being added to database and replicated in FreeIPA realm. Note that the number of writes is kept the same as an unnecessary LDAP write was eliminated.
Effective Attributes widget in the Add Permission Web UI page was improved
ipa-csreplica-manage can now set CA renewal master
trust-add is now capable of ensuring conditions for a Trust are met prior to establishing it in complex environments (e.g. only adding trust via AD DC with a PDC role in a forest root domain, falling back when no closest AD DC is available for the local site)
Server installation with certificates signed by external CA could crash with IndexError
ipa-client-install could add duplicate “sss” to /etc/nsswitch.conf when configuring sudo
ipa-client-install crashed when non-zero minSSF was set on FreeIPA server
Installers and helper tools now communicate with certmonger via its DBUS API instead of manipulating its configuration files, fixing the related intermittent uninstallation failures
idrange-* commands no longer allow unsupported range types (ipa-ad-winsync, ipa-ipa-trust)
user-add no longer fails when –user-auth-type is specified
Entries in Schema Compatibility tree are now accessible anonymously by default to aid legacy clients.
The Directory Server may crash during install due to 389-ds bug 47889.
Enumeration in SSSD may fail due to 389-ds bug 47885.
Zone removal may misbehave due to a bind-dyndb-ldap bug. If FreeIPA is used to manage DNS root zones, bind-dyndb-ldap 5.1 or higher is recommended. Bind-dyndb-ldap 5.2 was built for Fedora 20, 21, rawhide.
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade
Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.0.1#
Alexander Bokovoy (5)#
ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC
ipaserver/dcerpc.py: make PDC discovery more robust
ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
David Kupka (7)#
Fix group-remove-member crash when group is removed from a protected group
test group: remove group from protected group.
Verify otptoken timespan is valid
Add record(s) to /etc/host when IPA is configured as DNS server.
Use certmonger D-Bus API instead of messing with its files.
Do not restart apache server when not necessary.
Allow user to force Kerberos realm during installation.
ipa trust-add command should be interactive
Jakub Hrozek (1)#
CLIENT: Explicitly require python-backports-ssl_match_hostname
Jan Cholasta (11)#
Check if /root/ipa.csr exists when installing server with external CA.
Exclude attributelevelrights from –raw result processing in baseldap.
Add test for baseldap.entry_to_dict.
Convert external CA chain to PKCS#7 before passing it to pkispawn.
Allow changing CA renewal master in ipa-csreplica-manage.
Add method for setting CA renewal master in LDAP to CAInstance.
Pick new CA renewal master when deleting a replica.
Normalize external CA cert before passing it to pkispawn
Add new NSSDatabase method get_cert for getting certs from NSS databases.
Make CA-less ipa-server-install option –root-ca-file optional.
Backup CS.cfg before modifying it
Martin Bašti (7)#
Fix DNS upgrade plugin should check if DNS container exists
FIX: named_enable_dnssec should verify if DNS is installed
Allow to add host if AAAA record exists
Tests: host tests with dns
Fix dnsrecord-mod raise error if last record attr is removed
FIX DNS wildcard records (RFC4592)
Tests: DNS wildcard records
Martin Košek (2)#
Do not crash client basedn discovery when SSF not met
ipa-adtrust-install does not re-add member in adtrust agents group
Nathaniel McCallum (1)#
Ensure ipaUserAuthTypeClass when needed on user creation
Petr Viktorin (8)#
test_ipagetkeytab: Fix assertion in negative test
freeipa.spec.in: Add python-backports-ssl_match_hostname to BuildRequires
permission plugin: Make –target available in the CLI
permission plugin: Improve description of the target option
Add managed read permissions for compat tree
Fix: Add managed read permissions for compat tree and operational attrs
Become IPA 4.0.2
Petr Voborník (10)#
webui: support wildcard attribute level rights
webui: fix nested items creation in dropdown list
webui: internet explorer fixes
webui: detach facet nodes
webui: replace action_buttons with action_widget
webui: remove remaining action-button-disabled occurrences
webui-ci: fix reset password check
webui: better error reporting
webui-ci: fix table widget add
webui: extract complex pkey on Add and Edit
Rob Crittenden (1)#
No longer generate a machine certificate on client installs
Stephen Gallagher (1)#
Change BuildRequires for Java
Tomáš Babej (3)#
ipalib: idrange: Make non-implemented range types fail the validation
ipatests: test_trust: Add test to cover lookup of trusdomains
ipa-client-install: Do not add already configured sources to nsswitch.conf entries