Jump to: navigation, search


Release date Released 2016-03-24

The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 are available in the official FreeIPA CentOS7 COPR repository

Highlights in 4.3.1


  • FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589
  • Directory Server is configured with "default" cipher suite instead of "+all" #5684
  • topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647
  • MS-PAC extension was made optional for users #2579, currently without UI #5752
  • added option to disable preauth for service principal names. Configurable via ipaconfigstring value "KDC:Disable Default Preauth for SPNs" in server config. #3860
  • improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026
  • 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740
  • `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411
  • deprecated keytab_set extended operation was removed from ipasam module #5495
  • an option was added to Web UI to allow to specify GID number in user adder dialog
  • improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544
  • FreeIPA python packages were made independent on architecture(noarch) #5596
  • AD users are now shown as members of IPA groups when external group is added to IPA group #4403

Bug fixes

  • fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612
  • fixed bug where ipa-server-install didn't stop on error and subsequently reported incorrect root cause #2539
  • fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412
  • fixed issue with vault-archive command sometimes not working #5538
  • fixed regression in Web UI where required indicator '*' was missing on Global Password Policy page, priority field #5553
  • fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding --auto-reverse and --allow-zone-overlap options #5563
  • fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564
  • fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575
  • fixed rare bug in connection handling which can cause a crash of KDC #5577
  • fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583
  • fixed not displaying suffixes in IPA servers table in Web UI #5609
  • fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637
  • fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.3.0

Abhijeet Kasurde (1)

  • Fixed login error message box in LoginScreen page

Alexander Bokovoy (1)

  • slapi-nis: update configuration to allow external members of IPA groups

Christian Heimes (3)

  • Require Dogtag 10.2.6-13 to fix KRA uninstall
  • Modernize mod_nss's cipher suites
  • Move user/group constants for PKI and DS into ipaplatform

David Kupka (19)

  • installer: Propagate option values from components instead of copying them.
  • installer: Fix logic of reading option values from cache.
  • ipa-dns-install: Do not check for zone overlap when DNS installed.
  • ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
  • installer: Change reverse zones question to better reflect reality.
  • Fix: Use unattended parameter instead of options.unattended
  • CI: Add '2-connected' topology generator.
  • CI: Add simple replication test in 2-connected topology.
  • CI: Add test for 2-connected topology generator.
  • CI: Fix pep8 errors in 2-connected topology generator
  • CI: add empty topology test for 2-connected topology generator
  • CI: Add double circle topology.
  • CI: Add replication test utilizing double-circle topology.
  • CI: Add test for double-circle topology generator.
  • CI: Make double circle topology python3 compatible
  • upgrade: Match whole pre/post command not just basename.
  • dsinstance: add start_tracking_certificates method
  • httpinstance: add start_tracking_certificates method
  • Look up HTTPD_USER's UID and GID during installation.

Filip Skola (3)

  • Refactor test_user_plugin, use UserTracker for tests
  • Refactor test_replace
  • Refactor test_attr

Fraser Tweedale (1)

  • Do not decode HTTP reason phrase from Dogtag

Jan Cholasta (13)

  • ipalib: assume version 2.0 when skip_version_check is enabled
  • ipapython: remove default_encoding_utf8
  • ipapython: port p11helper C code to Python
  • ipapython: use python-cryptography instead of libcrypto in p11helper
  • spec file: package python-ipalib as noarch
  • cert renewal: import all external CA certs on IPA CA cert renewal
  • replica install: validate DS and HTTP server certificates
  • replica promotion: fix AVC denials in remote connection check
  • test_ipagetkeytab: fix missing import
  • cacert install: fix trust chain validation
  • client: stop using /etc/pki/nssdb
  • certdb: never use the -r option of certutil
  • daemons: remove unused erroneous _ipap11helper import

Ludwig Krispenz (1)

  • prevent moving of topology entries out of managed scope by modrdn operations

Lukáš Slebodník (1)

  • IPA-SAM: Fix build with samba 4.4

Martin Babinsky (21)

  • raise more descriptive Backend connection-related exceptions
  • prevent crash of CA-less server upgrade due to absent certmonger
  • use FFI call to rpmvercmp function for version comparison
  • tests for package version comparison
  • fix Py3 incompatible exception instantiation in replica install code
  • ipa-csreplica-manage: remove extraneous ldap2 connection
  • IPA upgrade: move replication ACIs to the mapping tree entry
  • uninstallation: more robust check for master removal from topology
  • correctly set LDAP bind related attributes when setting up replication
  • disable RA plugins when promoting a replica from CA-less master
  • fix standalone installation of externally signed CA on IPA master
  • reset ldap.conf to point to newly installer replica after promotion
  • always start certmonger during IPA server configuration upgrade
  • upgrade: unconditional import of certificate profiles into LDAP
  • CI tests: use old schema when testing hostmask-based sudo rules
  • use LDAPS during standalone CA/KRA subsystem deployment
  • test_cert_plugin: use only first part of the hostname to construct short name
  • only search for Kerberos SRV records when autodiscovery was requested
  • spec: add conflict with bind-chroot to freeipa-server-dns
  • spec: require python-cryptography newer than 0.9
  • otptoken-add: improve the robustness of QR code printing

Martin Bašti (36)

  • Fix DNS tests: dns-resolve returns warning
  • Fix version comparison
  • Fix: replace mkdir with chmod
  • Allow to used mixed case for sysrestore
  • Upgrade: Fix upgrade of NIS Server configuration
  • DNSSEC test: fix adding zones with --skip-overlap-check
  • DNSSEC CI: add missing ldns-utils dependency
  • CI test: fix regression in task.install_kra
  • Warn about potential loss of CA, KRA, DNSSEC during uninstall
  • Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
  • Exclude o=ipaca subtree from Retro Changelog (syncrepl)
  • Fix DNSSEC test: add glue record
  • DNSSEC CI: fix zone delegations
  • make lint: use config file and plugin for pylint
  • Disable new pylint checks
  • Py3: do not use dict.iteritems()
  • upgrade: fix config of sidgen and extdom plugins
  • trusts: use ipaNTTrustPartner attribute to detect trust entries
  • Warn user if trust is broken
  • fix upgrade: wait for proper DS socket after DS restart
  • Revert "test: Temporarily increase timeout in vault test."
  • Pylint: add missing attributes of errors to definitions
  • fix permission: Read Replication Agreements
  • Make PTR records check optional for IPA installation
  • Fix connections to DS during installation
  • pylint: supress false positive no-member errors
  • CI: allow customized DS install test to work with domain levels
  • fix suspicious except statements
  • Configure 389ds with "default" cipher suite
  • krb5conf: use 'true' instead of 'yes' for forwardable option
  • stageuser-activate: Normalize manager value
  • Remove redundant parameters from CS.cfg in dogtaginstance
  • Fix broken trust warnings
  • spec: Add missing dependencies to python*-ipalib package
  • SPEC: do not run upgrade when ipa server is not installed
  • Fix stageuser-activate - managers test

Michael Simacek (1)

  • Fix bytes/string handling in rpc

Milan Kubík (6)

  • ipatests: Roll back the forwarder config after a test case
  • ipatests: Fix configuration problems in dns tests
  • ipatests: Make the A record for hosts in topology conditional
  • ipatests: fix the install of external ca
  • ipatests: Add missing certificate profile fixture
  • ipatests: extend permission plugin test with new expected output

Oleg Fayans (17)

  • CI tests: Enabled automatic creation of reverse zone during master installation
  • CI tests: Added domain realm as a parameter to master installation in integration tests
  • Fixed install_ca and install_kra under domain level 0
  • fixed an issue with master installation not creating reverse zone
  • Enabled recreation of test directory in apply_common_fixes function
  • Updated connect/disconnect replica to work with both domainlevels
  • Removed --ip-address option from replica installation
  • Removed messing around with resolv.conf
  • Integration tests for replica promotion feature
  • Enabled setting domain level explicitly in test class
  • Removed a constantly failing call to prepare_host
  • Made apply_common_fixes call at replica installation independent on domain_level
  • Workaround for ticket 5627
  • Added copyright info to replica promotion tests
  • rewrite a misprocessed teardown_method method as a custom decorator
  • Reverted changes in mh fixture causing some tests to fail
  • Fixed a bug with prepare_host failing upon existing ipatests folder

Pavel Vomacka (4)

  • Add pan and zoom functionality to the topology graph
  • Nodes stay fixed after initial animation.
  • Add field for group id in user add dialog
  • Resize topology graph canvas according to window size

Petr Viktorin (23)

  • Use explicit truncating division
  • Don't index exceptions directly
  • Use print_function future definition wherever print() is used
  • Alias "unicode" to "str" under Python 3
  • Avoid builtins that were removed in Python 3
  • dnsutil: Rename __nonzero__ to __bool__
  • Remove deprecated contrib/RHEL4
  • make-lint: Allow running pylint --py3k to detect Python3 issues
  • Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
  • test_parameters: Ignore specific error message
  • ipaldap, ldapupdate: Encoding fixes for Python 3
  • ipautil.run, kernel_keyring: Encoding fixes for Python 3
  • tests: Use absolute imports
  • ipautil: Use mode 'w+' in write_tmp_file
  • test_util: str/bytes check fixes for Python 3
  • p11helper: Port to Python 3
  • cli: Don't encode/decode for stdin/stdout on Python 3
  • Package python3-ipaclient
  • migration.py: Remove stray get_ipa_basedn import
  • Move get_ipa_basedn from ipautil to ipadiscovery
  • ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
  • ipapython.sysrestore: Use str methods instead of functions from the string module
  • ipalib.x809: Accept bytes for make_pem

Petr Voborník (11)

  • webui: add examples to network address validator error message
  • webui: pwpolicy cospriority field was marked as required
  • spec: do not require arch specific ipalib package from noarch packages
  • webui: dislay server suffixes in server search page
  • stop installer when setup-ds.pl fail
  • webui: remove moot error from webui build
  • webui: use API call ca_is_enabled instead of enable_ra env variable.
  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
  • cookie parser: do not fail on cookie with empty value
  • fix incorrect name of ipa-winsync-migrate command in help
  • Become IPA 4.3.1

Petr Špaček (15)

  • DNSSEC: Improve error reporting from ipa-ods-exporter
  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND
  • DNSSEC: remove obsolete TODO note
  • DNSSEC: add debug mode to ldapkeydb.py
  • DNSSEC: logging improvements in ipa-ods-exporter
  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command
  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
  • DNSSEC: Log debug messages at log level DEBUG
  • Fix --auto-reverse option in --unattended mode.
  • Fix dns_is_enabled() API command to throw exceptions as appropriate
  • Fix DNS zone overlap check to allow ipa-replica-install to work
  • Fix ipa-adtrust-install to always generate SRV records with FQDNs

Simo Sorce (6)

  • Use only AES enctypes by default
  • Always verify we have a valid ldap context.
  • Improve keytab code to select the right principal.
  • Convert ipa-sam to use the new getkeytab control
  • Allow admins to disable preauth for SPNs.
  • Allow to specify Kerberos authz data type per user

Stanislav Laznicka (4)

  • Listing and cleaning RUV extended for CA suffix
  • Automatically detect and remove dangling RUVs
  • Cosmetic changes to the code
  • Fixes minor issues

Sumit Bose (1)

  • ipa-kdb: map_groups() consider all results

Thierry Bordaz (2)

  • configure DNA plugin shared config entries to allow connection with GSSAPI
  • DS deadlock when memberof scopes topology plugin updates

Timo Aaltonen (6)

  • Use HTTPD_USER in dogtaginstance.py
  • Move freeipa certmonger helpers to libexecdir.
  • ipa_restore: Import only FQDN from ipalib.constants
  • ipaplatform: Move remaining user/group constants to ipaplatform.constants.
  • Use ODS_USER/ODS_GROUP in opendnssec_conf.template
  • Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (4)

  • py3: Remove py3 incompatible exception handling
  • ipa-adtrust-install: Allow dash in the NETBIOS name
  • spec: Bump required sssd version to 1.13.3-5
  • adtrustinstance: Make sure smb.conf exists