The FreeIPA team would like to announce FreeIPA 4.10.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.10.1#
8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html
9083: Support MIT Kerberos KDB version 9
FreeIPA now supports MIT Kerberos 1.20. Resource-based constrained delegation is not yet implemented.
9228: ipa-client-install does not maintain server affinity during installation
ipa-client-install will use a single server for the duration of the installation process, either one discovered or provided on the command-line. Previously it would use a temporary configuration to do enrollment, then switch to a final one for the remaining operations. This could lead to the installer talking with multiple servers. If the client installer is faster than replication this could lead to errors.
9237: Show order in sudo rule list in web interface
In the ‘sudo rules’ page, the WebUI is now displaying a ‘sudo order’ column so that the users can easily see which rules override other rules based on their order.
9258: Do not add TLS CA configuration to ldap.conf anymore
FreeIPA client installer does not add explicit TLS CA configuration to OpenLDAP’s ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA configuration is not required as OpenLDAP uses the default CA store provided by OpenSSL and IPA CA is installed in the default store by the installer already.
9273: [RFE] Support IPA CA installation on an HSM
FreeIPA CA can now be deployed with a hardware security module as a CA storage device. Supported use case details can be found in HSM design document: https://freeipa.readthedocs.io/en/ipa-4-10/designs/hsm.html
Bug fixes#
FreeIPA 4.10.1 is a stabilization release for the features delivered as a part of 4.10 version series.
There are more than 40 bug-fixes since FreeIPA 4.10.0 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#8803 Add support for managing IdP references
#8804 Extend supported user authentication methods in IPA to allow IdP auth
#8805 Extend `ipa-otpd` daemon to recognize IdP references
#8946 RFE: Add label name to Certificates section in WebUI to enable testing
#8951 Test for RFE ipa-healthcheck tool can include check to see if the system is FIPS enabled or not
#9062 [ipatests] SID generation and test_xmlrpc/test_user_plugin.py
#9083 Support MIT Kerberos KDB version 9
#9158 Internal error when setting dnsconfig or dnsforwardzone forwarders.
#9160 cryptography.utils.register_interface is scheduled for removal
#9161 Nightly test failure in test_selinuxusermap.py::test_selinuxusermap::test_misc
#9179 test_caless_TestServerCALessToExternalCA_RSN fails in teardown
#9188 (rhbz#2098187) Add warning for empty targetattr when creating ACI with RBAC
#9192 (rhbz#2094672) IdM WebUI Pagination Size should not allow empty value
#9198 [Tracker] nightly failure: after ipa trust-add, cred cache contains cifs/master.ipa.test@IPA.TEST instead of admin principal
#9204 [Tracker] In ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki restarts
#9206 (rhbz#2109236) ldap bind occurs when admin user changes password with gracelimit=0
#9207 Failure in AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)
#9208 ap: Doc build fails against Sphinx 5.1.0
#9211 (rhbz#2109243) RFE: Allow grace login limit to be set in IPA WebUI.
#9212 (rhbz#2115475) Nightly test failure in test_user.py::test_user::test_password_expiration_notification
#9214 Nightly failure in webui test test_subid.py::test_subid::test_subid_range_deletion_not_allowed
#9218 (rhbz#2116966) Random failure in test-winsyncmigrate
#9225 pytest library module rename from quarkus to keycloak
#9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root
#9227 Need test for Keycloak Bridge authentication
#9228 ipa-client-install does not maintain server affinity during installation
#9230 build failure against gcc < 11
#9231 /run/ipa/ccaches uses all available tmpfs space
#9237 Show order in sudo rule list in web interface
#9238 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage
#9243 (rhbz#2127833) Password Policy Grace login limit allows invalid maximum value
#9244 Nightly test failure in test_commands.py::TestIPACommand::test_ipa_cacert_manage_prune
#9245 (rhbz#2117167) `extdom` plugin can return object from a wrong domain.
#9246 Nightly test failure in test_user_permissions.TestInstallClientNoAdmin
#9248 (rhbz#2124369) OTP token sync always returns OK even with random numbers
#9249 (rhbz#2108630) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
#9250 Add basic test for authenticating as Keycloak user on IPA client
#9252 (rhbz#2129895) [DDF] The Examples in the RHEL ipa(1) man page show “ipa help commands” with content for “ipa halp topics” and “ipa hel
#9254 Exclude installed policy module file from RPM verification
#9255 ipapython.dn_ctypes is not compatible with libldap 2.6
#9257 (rhbz#2104185) Introduction of URI records for kerberos breaks location functionality
#9258 (rhbz#2094673) Do not add TLS CA configuration to ldap.conf anymore
#9259 (rhbz#2144737) vault interoperability with older RHEL systems is broken
#9264 Nightly failure in test_integration/test_sso.py::TestSsoBridge::test_ipa_login_with_sso_user
#9269 (rhbz#2143224, rhbz#2075452) ipa-certupdate does not restart/reload KDC on servers
#9271 (rhbz#2143224) Support PKINIT with ipa-client-install
#9273 (rhbz#1405935) [RFE] Support IPA CA installation on an HSM
#9274 ipa-join: pass the curl write function by name, not address
Detailed changelog since 4.10.0#
Armando Neto (1)#
Alexander Bokovoy (10)#
ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later commit
ipa-kdb: handle empty S4U proxy in allowed_to_delegate commit #9083
ipa-kdb: handle cross-realm TGT entries when generating PAC commit #9083
ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 commit #9083
ipaclient: do not set TLS CA options in ldap.conf anymore commit #9258
Remove empty translation for ‘si’ which breaks linter commit
ipa-otpd: initialize local pointers and handle gcc 10 commit #9230
Anuja More (1)#
Andika Triwidada (1)#
Translated using Weblate (Indonesian) commit
Antonio Torres (1)#
Back to git snapshots commit
Alexey Tikhonov (3)#
Carla Martinez (7)#
Jan Kuparinen (14)#
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
David Pascual (2)#
Erik (1)#
Endi Sukma Dewata (1)#
Remove pki_restart_configured_instance commit
Florence Blanc-Renaud (15)#
ipatests: mark xfail tests using sssctl domain-status commit #9234
Tests: test on f37 and f36 commit
ipa otptoken-sync: return error when sync fails commit #9248
ipa-cacert-manage prune: remove all expired certs commit #9244
gitignore: add install/oddjob/org.freeipa.server.config-enable-sid commit
Nightly tests: fix template for nightly_ipa-4-10_latest.yaml commit
ipatests: add nightly definitions for ipa-4-10 branch commit
Fraser Tweedale (2)#
Jesse Sandberg (1)#
Nikola Knazekova (1)#
Weblate (5)#
Piotr Drąg (2)#
Rob Crittenden (10)#
Move client certificate request after krb5.conf is created commit #9246
Set default on group pwpolicy with no grace limit in upgrade commit #9212
Set default gracelimit on group password policies to -1 commit #9212
doc: Update LDAP grace period design with default values commit #9212
upgrades: Don’t restart the CA on ACME and profile schema change commit #9204
Disabling gracelimit does not prevent LDAP binds commit #9206
Warn for permissions with read/write/search/compare and no attrs commit #9188
Only calculate LDAP password grace when the password is expired commit #1539
Ricky Tigg (3)#
Sumit Bose (1)#
ipa-kdb: do not fail if certmap rule cannot be added commit
김인수 (4)#
Stanislav Levin (6)#
Scott Poore (4)#
Sumedh Sidhaye (3)#
With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck. commit #9238
Added a check while removing ‘cert_dir’. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory. commit #9179
Sudhir Menon (2)#
Temuri Doghonadze (4)#
Thomas Woerner (1)#
Viacheslav Sychov (1)#
fix: Handle /proc/1/sched missing error commit