The FreeIPA team would like to announce FreeIPA v4.1.3 bug fix release!

It can be downloaded from The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository.

Highlights in 4.1.3#


  • ID Views support user SSH public keys

  • ID Views support IPA user overrides

  • OTP token authentication and synchronization windows are configurable

  • RADIUS server proxy fields added to user page in Web UI

Bug fixes#

  • Issues fixed in ipa-restore:

    • doesn’t crash if replica is unreachable

    • checks if it isn’t a restore on non matching host

    • improved validation of input options to disallow invalid combinations

    • doesn’t fail if run on a system without IPA installed

    • creates correct log directories

  • certificate renewal process is synchronized

  • migrate-ds: warns user if compat plugin is enabled

  • PassSync plugin could not update synchronized users due to too strict access control

  • replication agreements by Replication Administrators could not be removed due to strict access control

  • anonymous read of a DUA profile was not possible due to strict access control

  • various upgrade fixes related to DNSSEC


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 4.1.2#

Alexander Bokovoy (4)#

  • Support Samba PASSDB 0.2.0 aka interface version 24

  • ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly

  • ipa-kdb: when processing transitions, hand over unknown ones to KDC

  • ipa-kdb: reject principals from disabled domains as a KDC policy

David Kupka (5)#

  • Use singular in help metavars + update man pages.

  • Always add /etc/hosts record when DNS is being configured.

  • Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.

  • Abort backup restoration on not matching host.

  • idviews: Allow setting ssh public key on ipauseroverride-add

Gabe Alford (3)#

  • Remove dependency on subscription-manager

  • Typos in ipa-rmkeytab options help and man page

  • permission-add does not prompt for ipapermright in interactive mode

Jan Cholasta (18)#

  • Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent

  • Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent

  • Improve validation of –instance and –backend options in ipa-restore

  • Check subject name encoding in ipa-cacert-manage renew

  • Refer the user to when something goes wrong in ipa-cacert-manage

  • Fix ipa-restore on systems without IPA installed

  • Remove RUV from LDIF files before using them in ipa-restore

  • Fix CA certificate renewal syslog alert

  • Do not crash on unknown services in installutils.stopped_service

  • Restart dogtag when its server certificate is renewed

  • Make certificate renewal process synchronized

  • Fix validation of ipa-restore options

  • Do not assume certmonger is running in httpinstance

  • Put LDIF files to their original location in ipa-restore

  • Revert “Make all ipatokenTOTP attributes mandatory”

  • Create correct log directories during full restore in ipa-restore

  • Do not crash when replica is unreachable in ipa-restore

  • Bump 389-ds-base and pki-ca dependencies for POODLE fixes

Jan Pazdziora (1)#

  • No explicit zone specification.

Martin Babinsky (11)#

  • Moved dbus-python dependence to freeipa-python package

  • ipa-kdb: unexpected error code in ‘ipa_kdb_audit_as_req’ triggers a message

  • always get PAC for client principal if AS_REQ is true

  • ipa-kdb: more robust handling of principal addition/editing

  • OTP: failed search for the user of last token emits an error message

  • ipa-pwd-extop: added an informational comment about intentional fallthrough

  • ipa-uuid: emit a message when unexpected mod type is encountered

  • OTP: emit a log message when LDAP entry for config record is not found

  • ipa-client-install: put eol character after the last line of altered config file(s)

  • migrate-ds: exit with error message if no users/groups to migrate are found

  • Changing the token owner changes also the manager

Martin Bašti (19)#

  • Fix zonemgr option encoding detection

  • Throw zonemgr error message before installation proceeds

  • Upgrade fix: masking named should be executed only once

  • Using wget to get status of CA

  • Show SSHFP record containing space in fingerprint

  • Fix don’t check certificate during getting CA status

  • Fix: Upgrade forwardzones zones after adding newer replica

  • Fix zone find during forwardzone upgrade

  • Fix traceback if zonemgr error contains unicode

  • DNS tests: separate current forward zone tests

  • New test cases for Forward_zones

  • Detect and warn about invalid DNS forward zone configuration

  • DNS tests: warning if forward zone is inactive

  • Add debug messages into client autodetection

  • DNSSEC catch ldap exceptions in ipa-dnskeysyncd

  • DNSSEC: fix root zone dns name conversion

  • Always return absolute idnsname in dnszone commands

  • Use dyndns_update instead of deprecated sssd option

  • Fix reference counting in pkcs11 extension

Martin Košek (7)#

  • Bump SSSD Requires to 1.12.3

  • Allow PassSync user to locate and update NT users

  • Allow Replication Administrators manipulate Winsync Agreements

  • Replication Administrators cannot remove replication agreements

  • Add anonymous read ACI for DUA profile

  • Print PublicError traceback when in debug mode

  • group-detach does not add correct objectclasses

Nathaniel McCallum (7)#

  • Catch USBError during YubiKey location

  • Preliminary refactoring of libotp files

  • Move authentication configuration cache into libotp

  • Enable last token deletion when password auth type is configured

  • Make token auth and sync windows configurable

  • Create an OTP help topic

  • Prefer TCP connections to UDP in krb5 clients

Petr Voborník (10)#

  • webui: add radius fields to user page

  • fix indentation in ipa-restore page

  • add –hosts and –hostgroup options to allow/retrieve keytab methods

  • webui: fix service unprovisioning

  • webui: increase duration of notification messages

  • revert removal of cn attribute from idnsRecord

  • migrate-ds: fix compat plugin check

  • rpcclient: use json_encode_binary for verbose output

  • Fix TOTP Synchronization Window label

  • Become IPA 4.1.3

Simo Sorce (3)#

  • Avoid calling ldap functions without a context

  • Remove the removal of the ccache

  • Handle DAL ABI change in MIT 1.13

Tomáš Babej (9)#

  • Re-initialize NSS database after otptoken plugin tests

  • certs: Fix incorrect flag handling in load_cacert

  • hosts: Display assigned ID view by default in host-find and show commands

  • idviews: Complain if host is already assigned the ID View in idview-apply

  • idviews: Ignore host or hostgroup options set to None

  • baseldap: Handle missing parent objects properly in *-find commands

  • ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView

  • ipatests: Fix old command references in the ID views tests

  • ipatests: Fix incorrect assumptions in idviews tests