Jump to: navigation, search


Release date Released 2015-09-07

The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.

Highlights in 4.2.1


  • Added support for multiple IP addresses during client installation

Bug fixes

  • Various fixes for new Vault feature
  • Various fixes for new Certificates Profiles feature
  • Fixed ACI issue in search for hbac rules, sudo rules, users and other IPA objects by non-admin users
  • Backup and restore fixes, mostly related to DNSSEC
  • ipa-client-install is able to request a certificate in kickstart environment
  • Fixed server upgrade failure in "Enabling KDC proxy" step
  • Added option to establish bidirectional trust in Web UI


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.2.0

Alexander Bokovoy (5)

  • selinux: enable httpd_run_ipa to allow communicating with oddjobd services
  • oddjob: avoid chown keytab to sssd if sssd user does not exist
  • Fix selector of protocol for LSA RPC binding string
  • trusts: harden trust-fetch-domains oddjobd-based script
  • trusts: format Kerberos principal properly when fetching trust topology

Christian Heimes (10)

  • Start dirsrv for kdcproxy upgrade
  • Fix selinux denial during kdcproxy user creation
  • certprofile-import: improve profile format documentation
  • otptoken: use ipapython.nsslib instead of Python's ssl module
  • Require Dogtag PKI >= 10.2.6
  • Validate vault's file parameters
  • certprofile-import: do not require profileId in profile data
  • Asymmetric vault: validate public key in client
  • Add flag to list all service and user vaults
  • Change internal rsa_(public|private)_key variable names

David Kupka (9)

  • migration: Use api.env variables.
  • cermonger: Use private unix socket when DBus SystemBus is not available.
  • ipa-client-install: Do not (re)start certmonger and DBus daemons.
  • user-undel: Fix error messages.
  • client: Add support for multiple IP addresses during installation.
  • client: Add description of --ip-address and --all-ip-addresses to man page
  • Backup/resore authentication control configuration
  • vault: Limit size of data stored in vault
  • ipactl: Do not start/stop/restart single service multiple times

Endi Sukma Dewata (6)

  • Fixed missing KRA agent cert on replica.
  • Added CLI param and ACL for vault service operations.
  • Fixed vault container ownership.
  • Added support for changing vault encryption.
  • Removed clear text passwords from KRA install log.
  • Using LDAPI to setup CA and KRA agents.

Fraser Tweedale (14)

  • user-show: add --out option to save certificates to file
  • Fix otptoken-remove-managedby command summary
  • Give more info on virtual command access denial
  • Allow SAN extension for cert-request self-service
  • Add profile for DNP3 / IEC 62351-8 certificates
  • Work around python-nss bug on unrecognised OIDs
  • Fix default CA ACL added during upgrade
  • Fix KRB5PrincipalName / UPN SAN comparison
  • certprofile: add profile format explanation
  • Add permission for bypassing CA ACL enforcement
  • Prohibit deletion of predefined profiles
  • cert-request: remove allowed extensions check
  • certprofile: prevent rename (modrdn)
  • certprofile: remove 'rename' option

Jan Cholasta (14)

  • spec file: Move /etc/ipa/kdcproxy to the server subpackage
  • spec file: Update minimum required version of krb5
  • install: Fix server and replica install options
  • ULC: Prevent preserved users from being assigned membership
  • spec file: Fix install with the server-dns subpackage
  • baseldap: Allow overriding member param label in LDAPModMember
  • vault: Fix param labels in output of vault owner commands
  • install: Fix replica install with custom certificates
  • vault: Fix vault-find with criteria
  • vault: Add container information to vault command results
  • spec file: Add Requires(post) on selinux-policy
  • cert renewal: Include KRA users in Dogtag LDAP update
  • cert renewal: Automatically update KRA agent PEM file
  • ldap: Make ldap2 connection management thread-safe again

Lenka Doudova (2)

  • Automated test for stageuser plugin
  • Fix user tracker to reflect new user-del message

Martin Babinsky (12)

  • ipa-ca-install: print more specific errors when CA is already installed
  • enable debugging of ntpd during client installation
  • fix broken search for users by their manager
  • ACI plugin: correctly parse bind rules enclosed in parentheses
  • test suite for user/host/service certificate management API commands
  • store certificates issued for user entries as userCertificate;binary
  • idranges: raise an error when local IPA ID range is being modified
  • fix typo in BasePathNamespace member pointing to ods exporter config
  • ipa-backup: archive DNSSEC zone file and kasp.db
  • ipa-restore: check whether DS is running before attempting connection
  • improve the handling of krb5-related errors in dnssec daemons
  • improve the usability of `ipa user-del --preserve` command

Martin Bašti (23)

  • Prevent to rename certprofile profile id
  • Stageusedr-activate: show username instead of DN
  • copy-schema-to-ca: allow to overwrite schema files
  • fix selinuxusermap search for non-admin users
  • Validate adding privilege to a permission
  • sysrestore: copy files instead of moving them to avoind SELinux issues
  • Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
  • Py3: replace tab with space
  • DNS: Consolidate DNS RR types in API and schema
  • DNS: check if DNS package is installed
  • Remove ico files from Makefile
  • Use 'mv -Z' in specfile to restore SELinux context
  • ULC: Fix stageused-add --from-delete command
  • Fix upgrade of sidgen and extdom plugins
  • Add dependency to SSSD 1.13.1
  • Server Upgrade: Start DS before CA is started.
  • Add user-stage command
  • DNSSEC: fix forward zone forwarders checks
  • DNSSEC: remove "DNSSEC is experimental" warnings
  • Backup: back up the hosts file
  • Installer: do not modify /etc/hosts before user agreement
  • DNSSEC: backup and restore opendnssec zone list file
  • DNSSEC: remove ccache and keytab of ipa-ods-exporter

Milan Kubík (4)

  • ipalib: pass api instance into textui in doctest snippets
  • spec file: update the python package names for libipa_hbac and libsss_nss_idmap
  • tests: Allow Tracker.dn be an instance of Fuzzy
  • ipatests: Take otptoken import test out of execution

Oleg Fayans (2)

  • Added a user-friendly output to an import error
  • Temporary fix for ticket 5240

Petr Voborník (17)

  • Become IPA 4.2.0
  • do not import memcache on client
  • webui: fix user reset password dialog
  • fix hbac rule search for non-admin users
  • webui: add Kerberos configuration instructions for Chrome
  • webui: fix regressions failed auth messages
  • webui: add LDAP vs Kerberos behavior description to user auth types
  • adjust search so that it works for non-admin users
  • validate mutually exclusive options in vault-add
  • add permission: System: Manage User Certificates
  • vault: normalize service principal in service vault operations
  • vault: validate vault type
  • vault: change default vault type to symmetric
  • fix missing information in object metadata
  • webui: add option to establish bidirectional trust
  • vault: fix vault tests after default type change
  • Become IPA 4.2.1

Petr Špaček (6)

  • Create server-dns sub-package.
  • DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
  • DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
  • DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master
  • DNSSEC: Fix key metadata export
  • DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.

Rob Crittenden (1)

  • Use %license instead of %doc for packaging the license

Simo Sorce (1)

  • Fix DNS records installation for replicas

Stanislav Laznicka (1)

  • ipa-client-install: warn when IP used in --server

Tomáš Babej (24)

  • ipalib: Fix missing format for InvalidDomainLevelError
  • trusts: Check for AD root domain among our trusted domains
  • ipaplatform: Add constants submodule
  • tests: user_plugin: Add preserved flag when --all is used
  • dcerpc: Expand explanation for WERR_ACCESS_DENIED
  • idviews: Check for the Default Trust View only if applying the view
  • tests: service_plugin: Make sure the cert is decoded from base64
  • tests: realmdomains_plugin: Add explanatory comment
  • tests: Version is currently generated during command call
  • tests: vault_plugin: Skip tests if KRA not available
  • tests: test_rpc: Create connection for the current thread
  • tests: test_cert: Services can have multiple certificates
  • dcerpc: Fix UnboundLocalError for ccache_name
  • dcerpc: Add get_trusted_domain_object_type method
  • idviews: Restrict anchor to name and name to anchor conversions
  • idviews: Enforce objectclass check in idoverride*-del
  • replication: Fix incorrect exception invocation
  • Fix incorrect type comparison in trust-fetch-domains
  • dcerpc: Simplify generation of LSA-RPC binding strings
  • adtrust-install: Correctly determine 4.2 FreeIPA servers
  • trusts: Detect domain clash with IPA domain when adding a AD trust
  • trusts: Detect missing Samba instance
  • winsync-migrate: Add warning about passsync
  • winsync-migrate: Expand the man page

Yuri Chornoivan (1)

  • Fix minor typos