The FreeIPA team would like to announce FreeIPA v4.1.3 bug fix release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository.
Highlights in 4.1.3#
Enhancements#
ID Views support user SSH public keys
ID Views support IPA user overrides
OTP token authentication and synchronization windows are configurable
RADIUS server proxy fields added to user page in Web UI
Bug fixes#
Issues fixed in ipa-restore:
doesn’t crash if replica is unreachable
checks if it isn’t a restore on non matching host
improved validation of input options to disallow invalid combinations
doesn’t fail if run on a system without IPA installed
creates correct log directories
certificate renewal process is synchronized
migrate-ds: warns user if compat plugin is enabled
PassSync plugin could not update synchronized users due to too strict access control
replication agreements by Replication Administrators could not be removed due to strict access control
anonymous read of a DUA profile was not possible due to strict access control
various upgrade fixes related to DNSSEC
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.1.2#
Alexander Bokovoy (4)#
Support Samba PASSDB 0.2.0 aka interface version 24
ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
ipa-kdb: when processing transitions, hand over unknown ones to KDC
ipa-kdb: reject principals from disabled domains as a KDC policy
David Kupka (5)#
Use singular in help metavars + update man pages.
Always add /etc/hosts record when DNS is being configured.
Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
Abort backup restoration on not matching host.
idviews: Allow setting ssh public key on ipauseroverride-add
Gabe Alford (3)#
Remove dependency on subscription-manager
Typos in ipa-rmkeytab options help and man page
permission-add does not prompt for ipapermright in interactive mode
Jan Cholasta (18)#
Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Improve validation of –instance and –backend options in ipa-restore
Check subject name encoding in ipa-cacert-manage renew
Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
Fix ipa-restore on systems without IPA installed
Remove RUV from LDIF files before using them in ipa-restore
Fix CA certificate renewal syslog alert
Do not crash on unknown services in installutils.stopped_service
Restart dogtag when its server certificate is renewed
Make certificate renewal process synchronized
Fix validation of ipa-restore options
Do not assume certmonger is running in httpinstance
Put LDIF files to their original location in ipa-restore
Revert “Make all ipatokenTOTP attributes mandatory”
Create correct log directories during full restore in ipa-restore
Do not crash when replica is unreachable in ipa-restore
Bump 389-ds-base and pki-ca dependencies for POODLE fixes
Jan Pazdziora (1)#
No explicit zone specification.
Martin Babinsky (11)#
Moved dbus-python dependence to freeipa-python package
ipa-kdb: unexpected error code in ‘ipa_kdb_audit_as_req’ triggers a message
always get PAC for client principal if AS_REQ is true
ipa-kdb: more robust handling of principal addition/editing
OTP: failed search for the user of last token emits an error message
ipa-pwd-extop: added an informational comment about intentional fallthrough
ipa-uuid: emit a message when unexpected mod type is encountered
OTP: emit a log message when LDAP entry for config record is not found
ipa-client-install: put eol character after the last line of altered config file(s)
migrate-ds: exit with error message if no users/groups to migrate are found
Changing the token owner changes also the manager
Martin Bašti (19)#
Fix zonemgr option encoding detection
Throw zonemgr error message before installation proceeds
Upgrade fix: masking named should be executed only once
Using wget to get status of CA
Show SSHFP record containing space in fingerprint
Fix don’t check certificate during getting CA status
Fix: Upgrade forwardzones zones after adding newer replica
Fix zone find during forwardzone upgrade
Fix traceback if zonemgr error contains unicode
DNS tests: separate current forward zone tests
New test cases for Forward_zones
Detect and warn about invalid DNS forward zone configuration
DNS tests: warning if forward zone is inactive
Add debug messages into client autodetection
DNSSEC catch ldap exceptions in ipa-dnskeysyncd
DNSSEC: fix root zone dns name conversion
Always return absolute idnsname in dnszone commands
Use dyndns_update instead of deprecated sssd option
Fix reference counting in pkcs11 extension
Martin Košek (7)#
Bump SSSD Requires to 1.12.3
Allow PassSync user to locate and update NT users
Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators cannot remove replication agreements
Add anonymous read ACI for DUA profile
Print PublicError traceback when in debug mode
group-detach does not add correct objectclasses
Nathaniel McCallum (7)#
Catch USBError during YubiKey location
Preliminary refactoring of libotp files
Move authentication configuration cache into libotp
Enable last token deletion when password auth type is configured
Make token auth and sync windows configurable
Create an OTP help topic
Prefer TCP connections to UDP in krb5 clients
Petr Voborník (10)#
webui: add radius fields to user page
fix indentation in ipa-restore page
add –hosts and –hostgroup options to allow/retrieve keytab methods
webui: fix service unprovisioning
webui: increase duration of notification messages
revert removal of cn attribute from idnsRecord
migrate-ds: fix compat plugin check
rpcclient: use json_encode_binary for verbose output
Fix TOTP Synchronization Window label
Become IPA 4.1.3
Simo Sorce (3)#
Avoid calling ldap functions without a context
Remove the removal of the ccache
Handle DAL ABI change in MIT 1.13
Tomáš Babej (9)#
Re-initialize NSS database after otptoken plugin tests
certs: Fix incorrect flag handling in load_cacert
hosts: Display assigned ID view by default in host-find and show commands
idviews: Complain if host is already assigned the ID View in idview-apply
idviews: Ignore host or hostgroup options set to None
baseldap: Handle missing parent objects properly in *-find commands
ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView
ipatests: Fix old command references in the ID views tests
ipatests: Fix incorrect assumptions in idviews tests