The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 are available in the official FreeIPA CentOS7 COPR repository
Highlights in 4.3.1#
Enhancements#
FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589
Directory Server is configured with “default” cipher suite instead of “+all” #5684
topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647
MS-PAC extension was made optional for users #2579, currently without UI #5752
added option to disable preauth for service principal names. Configurable via ipaconfigstring value “KDC:Disable Default Preauth for SPNs” in server config. #3860
improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026
3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740
`ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411
deprecated keytab_set extended operation was removed from ipasam module #5495
an option was added to Web UI to allow to specify GID number in user adder dialog
improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544
FreeIPA python packages were made independent on architecture(noarch) #5596
AD users are now shown as members of IPA groups when external group is added to IPA group #4403
Bug fixes#
fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612
fixed bug where ipa-server-install didn’t stop on error and subsequently reported incorrect root cause #2539
fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412
fixed issue with vault-archive command sometimes not working #5538
fixed regression in Web UI where required indicator ‘*’ was missing on Global Password Policy page, priority field #5553
fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding –auto-reverse and –allow-zone-overlap options #5563
fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564
fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575
fixed rare bug in connection handling which can cause a crash of KDC #5577
fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583
fixed not displaying suffixes in IPA servers table in Web UI #5609
fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637
fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.3.0#
Abhijeet Kasurde (1)#
Fixed login error message box in LoginScreen page
Alexander Bokovoy (1)#
slapi-nis: update configuration to allow external members of IPA groups
Christian Heimes (3)#
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss’s cipher suites
Move user/group constants for PKI and DS into ipaplatform
David Kupka (19)#
installer: Propagate option values from components instead of copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add ‘–auto-reverse’ and ‘–allow-zone-overlap’ options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add ‘2-connected’ topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER’s UID and GID during installation.
Filip Skola (3)#
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Fraser Tweedale (1)#
Do not decode HTTP reason phrase from Dogtag
Jan Cholasta (13)#
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
test_ipagetkeytab: fix missing import
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
certdb: never use the -r option of certutil
daemons: remove unused erroneous _ipap11helper import
Ludwig Krispenz (1)#
prevent moving of topology entries out of managed scope by modrdn operations
Lukáš Slebodník (1)#
IPA-SAM: Fix build with samba 4.4
Martin Babinsky (21)#
raise more descriptive Backend connection-related exceptions
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
otptoken-add: improve the robustness of QR code printing
Martin Bašti (36)#
Fix DNS tests: dns-resolve returns warning
Fix version comparison
Fix: replace mkdir with chmod
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
DNSSEC test: fix adding zones with –skip-overlap-check
DNSSEC CI: add missing ldns-utils dependency
CI test: fix regression in task.install_kra
Warn about potential loss of CA, KRA, DNSSEC during uninstall
Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
Exclude o=ipaca subtree from Retro Changelog (syncrepl)
Fix DNSSEC test: add glue record
DNSSEC CI: fix zone delegations
make lint: use config file and plugin for pylint
Disable new pylint checks
Py3: do not use dict.iteritems()
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Revert “test: Temporarily increase timeout in vault test.”
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
CI: allow customized DS install test to work with domain levels
fix suspicious except statements
Configure 389ds with “default” cipher suite
krb5conf: use ‘true’ instead of ‘yes’ for forwardable option
stageuser-activate: Normalize manager value
Remove redundant parameters from CS.cfg in dogtaginstance
Fix broken trust warnings
spec: Add missing dependencies to python*-ipalib package
SPEC: do not run upgrade when ipa server is not installed
Fix stageuser-activate - managers test
Michael Simacek (1)#
Fix bytes/string handling in rpc
Milan Kubík (6)#
ipatests: Roll back the forwarder config after a test case
ipatests: Fix configuration problems in dns tests
ipatests: Make the A record for hosts in topology conditional
ipatests: fix the install of external ca
ipatests: Add missing certificate profile fixture
ipatests: extend permission plugin test with new expected output
Oleg Fayans (17)#
CI tests: Enabled automatic creation of reverse zone during master installation
CI tests: Added domain realm as a parameter to master installation in integration tests
Fixed install_ca and install_kra under domain level 0
fixed an issue with master installation not creating reverse zone
Enabled recreation of test directory in apply_common_fixes function
Updated connect/disconnect replica to work with both domainlevels
Removed –ip-address option from replica installation
Removed messing around with resolv.conf
Integration tests for replica promotion feature
Enabled setting domain level explicitly in test class
Removed a constantly failing call to prepare_host
Made apply_common_fixes call at replica installation independent on domain_level
Workaround for ticket 5627
Added copyright info to replica promotion tests
rewrite a misprocessed teardown_method method as a custom decorator
Reverted changes in mh fixture causing some tests to fail
Fixed a bug with prepare_host failing upon existing ipatests folder
Pavel Vomacka (4)#
Add pan and zoom functionality to the topology graph
Nodes stay fixed after initial animation.
Add field for group id in user add dialog
Resize topology graph canvas according to window size
Petr Viktorin (23)#
Use explicit truncating division
Don’t index exceptions directly
Use print_function future definition wherever print() is used
Alias “unicode” to “str” under Python 3
Avoid builtins that were removed in Python 3
dnsutil: Rename __nonzero__ to __bool__
Remove deprecated contrib/RHEL4
make-lint: Allow running pylint –py3k to detect Python3 issues
Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
test_parameters: Ignore specific error message
ipaldap, ldapupdate: Encoding fixes for Python 3
ipautil.run, kernel_keyring: Encoding fixes for Python 3
tests: Use absolute imports
ipautil: Use mode ‘w+’ in write_tmp_file
test_util: str/bytes check fixes for Python 3
p11helper: Port to Python 3
cli: Don’t encode/decode for stdin/stdout on Python 3
Package python3-ipaclient
migration.py: Remove stray get_ipa_basedn import
Move get_ipa_basedn from ipautil to ipadiscovery
ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
ipapython.sysrestore: Use str methods instead of functions from the string module
ipalib.x809: Accept bytes for make_pem
Petr Voborník (11)#
webui: add examples to network address validator error message
webui: pwpolicy cospriority field was marked as required
spec: do not require arch specific ipalib package from noarch packages
webui: dislay server suffixes in server search page
stop installer when setup-ds.pl fail
webui: remove moot error from webui build
webui: use API call ca_is_enabled instead of enable_ra env variable.
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
cookie parser: do not fail on cookie with empty value
fix incorrect name of ipa-winsync-migrate command in help
Become IPA 4.3.1
Petr Špaček (15)#
DNSSEC: Improve error reporting from ipa-ods-exporter
DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
DNSSEC: Make sure that current key state in LDAP matches key state in BIND
DNSSEC: remove obsolete TODO note
DNSSEC: add debug mode to ldapkeydb.py
DNSSEC: logging improvements in ipa-ods-exporter
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
DNSSEC: ipa-ods-exporter: add ldap-cleanup command
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
DNSSEC: Log debug messages at log level DEBUG
Fix –auto-reverse option in –unattended mode.
Fix dns_is_enabled() API command to throw exceptions as appropriate
Fix DNS zone overlap check to allow ipa-replica-install to work
Fix ipa-adtrust-install to always generate SRV records with FQDNs
Simo Sorce (6)#
Use only AES enctypes by default
Always verify we have a valid ldap context.
Improve keytab code to select the right principal.
Convert ipa-sam to use the new getkeytab control
Allow admins to disable preauth for SPNs.
Allow to specify Kerberos authz data type per user
Stanislav Laznicka (4)#
Listing and cleaning RUV extended for CA suffix
Automatically detect and remove dangling RUVs
Cosmetic changes to the code
Fixes minor issues
Sumit Bose (1)#
ipa-kdb: map_groups() consider all results
Thierry Bordaz (2)#
configure DNA plugin shared config entries to allow connection with GSSAPI
DS deadlock when memberof scopes topology plugin updates
Timo Aaltonen (6)#
Use HTTPD_USER in dogtaginstance.py
Move freeipa certmonger helpers to libexecdir.
ipa_restore: Import only FQDN from ipalib.constants
ipaplatform: Move remaining user/group constants to ipaplatform.constants.
Use ODS_USER/ODS_GROUP in opendnssec_conf.template
Fix kdc.conf.template to use ipaplatform.paths.
Tomáš Babej (4)#
py3: Remove py3 incompatible exception handling
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5
adtrustinstance: Make sure smb.conf exists