Ctrl+K

Highlights in 4.10.1

The FreeIPA team would like to announce FreeIPA 4.10.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.10.1#

  • 8803: Add support for managing IdP references

    FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html

  • 9083: Support MIT Kerberos KDB version 9

    FreeIPA now supports MIT Kerberos 1.20. Resource-based constrained delegation is not yet implemented.

  • 9228: ipa-client-install does not maintain server affinity during installation

    ipa-client-install will use a single server for the duration of the installation process, either one discovered or provided on the command-line. Previously it would use a temporary configuration to do enrollment, then switch to a final one for the remaining operations. This could lead to the installer talking with multiple servers. If the client installer is faster than replication this could lead to errors.

  • 9237: Show order in sudo rule list in web interface

    In the ‘sudo rules’ page, the WebUI is now displaying a ‘sudo order’ column so that the users can easily see which rules override other rules based on their order.

  • 9258: Do not add TLS CA configuration to ldap.conf anymore

    FreeIPA client installer does not add explicit TLS CA configuration to OpenLDAP’s ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA configuration is not required as OpenLDAP uses the default CA store provided by OpenSSL and IPA CA is installed in the default store by the installer already.

Bug fixes#

FreeIPA 4.10.1 is a stabilization release for the features delivered as a part of 4.10 version series.

There are more than 40 bug-fixes since FreeIPA 4.10.0 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

  • #8803 Add support for managing IdP references

  • #8804 Extend supported user authentication methods in IPA to allow IdP auth

  • #8805 Extend `ipa-otpd` daemon to recognize IdP references

  • #8946 RFE: Add label name to Certificates section in WebUI to enable testing

  • #8951 Test for RFE ipa-healthcheck tool can include check to see if the system is FIPS enabled or not

  • #9062 [ipatests] SID generation and test_xmlrpc/test_user_plugin.py

  • #9083 Support MIT Kerberos KDB version 9

  • #9158 Internal error when setting dnsconfig or dnsforwardzone forwarders.

  • #9160 cryptography.utils.register_interface is scheduled for removal

  • #9161 Nightly test failure in test_selinuxusermap.py::test_selinuxusermap::test_misc

  • #9179 test_caless_TestServerCALessToExternalCA_RSN fails in teardown

  • #9188 (rhbz#2098187) Add warning for empty targetattr when creating ACI with RBAC

  • #9192 (rhbz#2094672) IdM WebUI Pagination Size should not allow empty value

  • #9198 [Tracker] nightly failure: after ipa trust-add, cred cache contains cifs/master.ipa.test@IPA.TEST instead of admin principal

  • #9204 [Tracker] In ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki restarts

  • #9206 (rhbz#2109236) ldap bind occurs when admin user changes password with gracelimit=0

  • #9207 Failure in AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)

  • #9208 ap: Doc build fails against Sphinx 5.1.0

  • #9211 (rhbz#2109243) RFE: Allow grace login limit to be set in IPA WebUI.

  • #9212 (rhbz#2115475) Nightly test failure in test_user.py::test_user::test_password_expiration_notification

  • #9214 Nightly failure in webui test test_subid.py::test_subid::test_subid_range_deletion_not_allowed

  • #9218 (rhbz#2116966) Random failure in test-winsyncmigrate

  • #9225 pytest library module rename from quarkus to keycloak

  • #9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root

  • #9227 Need test for Keycloak Bridge authentication

  • #9228 ipa-client-install does not maintain server affinity during installation

  • #9230 build failure against gcc < 11

  • #9231 /run/ipa/ccaches uses all available tmpfs space

  • #9237 Show order in sudo rule list in web interface

  • #9238 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage

  • #9243 (rhbz#2127833) Password Policy Grace login limit allows invalid maximum value

  • #9244 Nightly test failure in test_commands.py::TestIPACommand::test_ipa_cacert_manage_prune

  • #9245 (rhbz#2117167) `extdom` plugin can return object from a wrong domain.

  • #9246 Nightly test failure in test_user_permissions.TestInstallClientNoAdmin

  • #9248 (rhbz#2124369) OTP token sync always returns OK even with random numbers

  • #9249 (rhbz#2108630) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones

  • #9250 Add basic test for authenticating as Keycloak user on IPA client

  • #9252 (rhbz#2129895) [DDF] The Examples in the RHEL ipa(1) man page show “ipa help commands” with content for “ipa halp topics” and “ipa hel

  • #9254 Exclude installed policy module file from RPM verification

  • #9255 ipapython.dn_ctypes is not compatible with libldap 2.6

  • #9257 (rhbz#2104185) Introduction of URI records for kerberos breaks location functionality

  • #9258 (rhbz#2094673) Do not add TLS CA configuration to ldap.conf anymore

  • #9259 (rhbz#2144737) vault interoperability with older RHEL systems is broken

  • #9264 Nightly failure in test_integration/test_sso.py::TestSsoBridge::test_ipa_login_with_sso_user

  • #9269 (rhbz#2143224, rhbz#2075452) ipa-certupdate does not restart/reload KDC on servers

  • #9271 (rhbz#2143224) Support PKINIT with ipa-client-install

  • #9273 (rhbz#1405935) [RFE] Support IPA CA installation on an HSM

  • #9274 ipa-join: pass the curl write function by name, not address

Detailed changelog since 4.10.0#

Armando Neto (1)#

  • webui: Do not allow empty pagination size commit #9192

Alexander Bokovoy (10)#

  • ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later commit

  • ipa-kdb: fix PAC requester check commit #9083

  • ipa-kdb: handle empty S4U proxy in allowed_to_delegate commit #9083

  • ipa-kdb: handle cross-realm TGT entries when generating PAC commit #9083

  • ipa-kdb: add krb5 1.20 support commit #9083

  • ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 commit #9083

  • ipaclient: do not set TLS CA options in ldap.conf anymore commit #9258

  • Remove empty translation for ‘si’ which breaks linter commit

  • fix canonicalization issue in Web UI commit #9226

  • ipa-otpd: initialize local pointers and handle gcc 10 commit #9230

Anuja More (1)#

  • ipatests : Test query to AD specific attributes is successful. commit #9127

Andika Triwidada (1)#

  • Translated using Weblate (Indonesian) commit

Antonio Torres (1)#

  • Back to git snapshots commit

Alexey Tikhonov (3)#

  • extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization) commit

  • extdom: make sure result doesn’t miss domain part commit #9245

  • extdom: internal functions should be static commit

Carla Martinez (7)#

  • Update API and VERSION commit #9249

  • webui: Set ‘SOA serial’ field as read-only commit #9249

  • ipatest: Remove warning message for ‘idnssoaserial’ commit #9249

  • Set ‘idnssoaserial’ to deprecated commit #9249

  • webui: Show ‘Sudo order’ column commit #9237

  • Set pkeys in test_selinuxusermap.py::test_misc::delete_record commit #9161

  • webui: Allow grace login limit commit #9211

Jan Kuparinen (14)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

David Pascual (2)#

  • ipatest: fix prci checker target masked return code & add pylint commit

  • ipatests: Checker script for prci definitions commit

Erik (1)#

  • ipatests: healthcheck: test if system is FIPS enabled commit #8951

Endi Sukma Dewata (1)#

  • Remove pki_restart_configured_instance commit

Florence Blanc-Renaud (15)#

  • Spec file: bump the selinux-policy version commit #9198

  • webui tests: fix test_subid suite commit #9214

  • ipatests: mark xfail tests using dnssec commit #9216

  • ipatests: mark xfail tests using sssctl domain-status commit #9234

  • Tests: test on f37 and f36 commit

  • ipa man page: format the EXAMPLES section commit #9252

  • ipatests: add negative test for otptoken-sync commit #9248

  • ipa otptoken-sync: return error when sync fails commit #9248

  • ipa-cacert-manage prune: remove all expired certs commit #9244

  • gitignore: add install/oddjob/org.freeipa.server.config-enable-sid commit

  • ipatests: Fix expected object classes commit #9062

  • check_repl_update: in progress is a boolean commit #9218

  • azure tests: disable TestInstallDNSSECFirst commit #9216

  • Nightly tests: fix template for nightly_ipa-4-10_latest.yaml commit

  • ipatests: add nightly definitions for ipa-4-10 branch commit

Fraser Tweedale (2)#

  • install: suggest –skip-mem-check when mem check fails commit #8404

  • man: add –skip-mem-check to man pages commit #8404

Jesse Sandberg (1)#

  • Fix ipa-ccache-sweeper activation timer and clean up service file commit #9231

Nikola Knazekova (1)#

  • Exclude installed policy module file from RPM verification commit #9254

Weblate (5)#

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

Piotr Drąg (2)#

  • Translated using Weblate (Polish) commit

  • Translated using Weblate (Polish) commit

Rob Crittenden (10)#

  • Move client certificate request after krb5.conf is created commit #9246

  • Defer creating the final krb5.conf on clients commit #9228

  • Fix upper bound of password policy grace limit commit #9243

  • Set default on group pwpolicy with no grace limit in upgrade commit #9212

  • Set default gracelimit on group password policies to -1 commit #9212

  • doc: Update LDAP grace period design with default values commit #9212

  • upgrades: Don’t restart the CA on ACME and profile schema change commit #9204

  • Disabling gracelimit does not prevent LDAP binds commit #9206

  • Warn for permissions with read/write/search/compare and no attrs commit #9188

  • Only calculate LDAP password grace when the password is expired commit #1539

Ricky Tigg (3)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

Sumit Bose (1)#

  • ipa-kdb: do not fail if certmap rule cannot be added commit

김인수 (4)#

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Added translation using Weblate (Korean) commit

Stanislav Levin (6)#

Scott Poore (4)#

  • ipatests: add keycloak user login to ipa test commit #9250

  • ipatests: add prci definitions for test_sso jobs commit

  • ipatests: add Keycloak Bridge test commit #9227

  • ipatests: Rename create_quarkus to create_keycloak commit #9225

Sumedh Sidhaye (3)#

  • With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck. commit #9238

  • Additional tests for RSN v3 commit #2016

  • Added a check while removing ‘cert_dir’. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory. commit #9179

Sudhir Menon (2)#

  • ipatests: ipa-client-install –subid adds entry in nsswitch.conf commit #9159

  • ipatests: WebUI: do not allow subid range deletion commit #9150

Temuri Doghonadze (4)#

  • Translated using Weblate (Georgian) commit

  • Translated using Weblate (Georgian) commit

  • Translated using Weblate (Georgian) commit

  • Added translation using Weblate (Georgian) commit

Thomas Woerner (1)#

  • DNSResolver: Fix use of nameservers with ports commit #9158

Viacheslav Sychov (1)#

  • fix: Handle /proc/1/sched missing error commit

Yuri Chornoivan (6)#

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

Contents