The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!

It can be downloaded from The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 are available in the official FreeIPA CentOS7 COPR repository

Highlights in 4.3.1#


  • FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589

  • Directory Server is configured with “default” cipher suite instead of “+all” #5684

  • topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647

  • MS-PAC extension was made optional for users #2579, currently without UI #5752

  • added option to disable preauth for service principal names. Configurable via ipaconfigstring value “KDC:Disable Default Preauth for SPNs” in server config. #3860

  • improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026

  • 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740

  • `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411

  • deprecated keytab_set extended operation was removed from ipasam module #5495

  • an option was added to Web UI to allow to specify GID number in user adder dialog

  • improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544

  • FreeIPA python packages were made independent on architecture(noarch) #5596

  • AD users are now shown as members of IPA groups when external group is added to IPA group #4403

Bug fixes#

  • fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612

  • fixed bug where ipa-server-install didn’t stop on error and subsequently reported incorrect root cause #2539

  • fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412

  • fixed issue with vault-archive command sometimes not working #5538

  • fixed regression in Web UI where required indicator ‘*’ was missing on Global Password Policy page, priority field #5553

  • fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding –auto-reverse and –allow-zone-overlap options #5563

  • fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564

  • fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575

  • fixed rare bug in connection handling which can cause a crash of KDC #5577

  • fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583

  • fixed not displaying suffixes in IPA servers table in Web UI #5609

  • fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637

  • fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 4.3.0#

Abhijeet Kasurde (1)#

  • Fixed login error message box in LoginScreen page

Alexander Bokovoy (1)#

  • slapi-nis: update configuration to allow external members of IPA groups

Christian Heimes (3)#

  • Require Dogtag 10.2.6-13 to fix KRA uninstall

  • Modernize mod_nss’s cipher suites

  • Move user/group constants for PKI and DS into ipaplatform

David Kupka (19)#

  • installer: Propagate option values from components instead of copying them.

  • installer: Fix logic of reading option values from cache.

  • ipa-dns-install: Do not check for zone overlap when DNS installed.

  • ipa-replica-prepare: Add ‘–auto-reverse’ and ‘–allow-zone-overlap’ options

  • installer: Change reverse zones question to better reflect reality.

  • Fix: Use unattended parameter instead of options.unattended

  • CI: Add ‘2-connected’ topology generator.

  • CI: Add simple replication test in 2-connected topology.

  • CI: Add test for 2-connected topology generator.

  • CI: Fix pep8 errors in 2-connected topology generator

  • CI: add empty topology test for 2-connected topology generator

  • CI: Add double circle topology.

  • CI: Add replication test utilizing double-circle topology.

  • CI: Add test for double-circle topology generator.

  • CI: Make double circle topology python3 compatible

  • upgrade: Match whole pre/post command not just basename.

  • dsinstance: add start_tracking_certificates method

  • httpinstance: add start_tracking_certificates method

  • Look up HTTPD_USER’s UID and GID during installation.

Filip Skola (3)#

  • Refactor test_user_plugin, use UserTracker for tests

  • Refactor test_replace

  • Refactor test_attr

Fraser Tweedale (1)#

  • Do not decode HTTP reason phrase from Dogtag

Jan Cholasta (13)#

  • ipalib: assume version 2.0 when skip_version_check is enabled

  • ipapython: remove default_encoding_utf8

  • ipapython: port p11helper C code to Python

  • ipapython: use python-cryptography instead of libcrypto in p11helper

  • spec file: package python-ipalib as noarch

  • cert renewal: import all external CA certs on IPA CA cert renewal

  • replica install: validate DS and HTTP server certificates

  • replica promotion: fix AVC denials in remote connection check

  • test_ipagetkeytab: fix missing import

  • cacert install: fix trust chain validation

  • client: stop using /etc/pki/nssdb

  • certdb: never use the -r option of certutil

  • daemons: remove unused erroneous _ipap11helper import

Ludwig Krispenz (1)#

  • prevent moving of topology entries out of managed scope by modrdn operations

Lukáš Slebodník (1)#

  • IPA-SAM: Fix build with samba 4.4

Martin Babinsky (21)#

  • raise more descriptive Backend connection-related exceptions

  • prevent crash of CA-less server upgrade due to absent certmonger

  • use FFI call to rpmvercmp function for version comparison

  • tests for package version comparison

  • fix Py3 incompatible exception instantiation in replica install code

  • ipa-csreplica-manage: remove extraneous ldap2 connection

  • IPA upgrade: move replication ACIs to the mapping tree entry

  • uninstallation: more robust check for master removal from topology

  • correctly set LDAP bind related attributes when setting up replication

  • disable RA plugins when promoting a replica from CA-less master

  • fix standalone installation of externally signed CA on IPA master

  • reset ldap.conf to point to newly installer replica after promotion

  • always start certmonger during IPA server configuration upgrade

  • upgrade: unconditional import of certificate profiles into LDAP

  • CI tests: use old schema when testing hostmask-based sudo rules

  • use LDAPS during standalone CA/KRA subsystem deployment

  • test_cert_plugin: use only first part of the hostname to construct short name

  • only search for Kerberos SRV records when autodiscovery was requested

  • spec: add conflict with bind-chroot to freeipa-server-dns

  • spec: require python-cryptography newer than 0.9

  • otptoken-add: improve the robustness of QR code printing

Martin Bašti (36)#

  • Fix DNS tests: dns-resolve returns warning

  • Fix version comparison

  • Fix: replace mkdir with chmod

  • Allow to used mixed case for sysrestore

  • Upgrade: Fix upgrade of NIS Server configuration

  • DNSSEC test: fix adding zones with –skip-overlap-check

  • DNSSEC CI: add missing ldns-utils dependency

  • CI test: fix regression in task.install_kra

  • Warn about potential loss of CA, KRA, DNSSEC during uninstall

  • Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter

  • Exclude o=ipaca subtree from Retro Changelog (syncrepl)

  • Fix DNSSEC test: add glue record

  • DNSSEC CI: fix zone delegations

  • make lint: use config file and plugin for pylint

  • Disable new pylint checks

  • Py3: do not use dict.iteritems()

  • upgrade: fix config of sidgen and extdom plugins

  • trusts: use ipaNTTrustPartner attribute to detect trust entries

  • Warn user if trust is broken

  • fix upgrade: wait for proper DS socket after DS restart

  • Revert “test: Temporarily increase timeout in vault test.”

  • Pylint: add missing attributes of errors to definitions

  • fix permission: Read Replication Agreements

  • Make PTR records check optional for IPA installation

  • Fix connections to DS during installation

  • pylint: supress false positive no-member errors

  • CI: allow customized DS install test to work with domain levels

  • fix suspicious except statements

  • Configure 389ds with “default” cipher suite

  • krb5conf: use ‘true’ instead of ‘yes’ for forwardable option

  • stageuser-activate: Normalize manager value

  • Remove redundant parameters from CS.cfg in dogtaginstance

  • Fix broken trust warnings

  • spec: Add missing dependencies to python*-ipalib package

  • SPEC: do not run upgrade when ipa server is not installed

  • Fix stageuser-activate - managers test

Michael Simacek (1)#

  • Fix bytes/string handling in rpc

Milan Kubík (6)#

  • ipatests: Roll back the forwarder config after a test case

  • ipatests: Fix configuration problems in dns tests

  • ipatests: Make the A record for hosts in topology conditional

  • ipatests: fix the install of external ca

  • ipatests: Add missing certificate profile fixture

  • ipatests: extend permission plugin test with new expected output

Oleg Fayans (17)#

  • CI tests: Enabled automatic creation of reverse zone during master installation

  • CI tests: Added domain realm as a parameter to master installation in integration tests

  • Fixed install_ca and install_kra under domain level 0

  • fixed an issue with master installation not creating reverse zone

  • Enabled recreation of test directory in apply_common_fixes function

  • Updated connect/disconnect replica to work with both domainlevels

  • Removed –ip-address option from replica installation

  • Removed messing around with resolv.conf

  • Integration tests for replica promotion feature

  • Enabled setting domain level explicitly in test class

  • Removed a constantly failing call to prepare_host

  • Made apply_common_fixes call at replica installation independent on domain_level

  • Workaround for ticket 5627

  • Added copyright info to replica promotion tests

  • rewrite a misprocessed teardown_method method as a custom decorator

  • Reverted changes in mh fixture causing some tests to fail

  • Fixed a bug with prepare_host failing upon existing ipatests folder

Pavel Vomacka (4)#

  • Add pan and zoom functionality to the topology graph

  • Nodes stay fixed after initial animation.

  • Add field for group id in user add dialog

  • Resize topology graph canvas according to window size

Petr Viktorin (23)#

  • Use explicit truncating division

  • Don’t index exceptions directly

  • Use print_function future definition wherever print() is used

  • Alias “unicode” to “str” under Python 3

  • Avoid builtins that were removed in Python 3

  • dnsutil: Rename __nonzero__ to __bool__

  • Remove deprecated contrib/RHEL4

  • make-lint: Allow running pylint –py3k to detect Python3 issues

  • Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)

  • test_parameters: Ignore specific error message

  • ipaldap, ldapupdate: Encoding fixes for Python 3

  •, kernel_keyring: Encoding fixes for Python 3

  • tests: Use absolute imports

  • ipautil: Use mode ‘w+’ in write_tmp_file

  • test_util: str/bytes check fixes for Python 3

  • p11helper: Port to Python 3

  • cli: Don’t encode/decode for stdin/stdout on Python 3

  • Package python3-ipaclient

  • Remove stray get_ipa_basedn import

  • Move get_ipa_basedn from ipautil to ipadiscovery

  • ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()

  • ipapython.sysrestore: Use str methods instead of functions from the string module

  • ipalib.x809: Accept bytes for make_pem

Petr Voborník (11)#

  • webui: add examples to network address validator error message

  • webui: pwpolicy cospriority field was marked as required

  • spec: do not require arch specific ipalib package from noarch packages

  • webui: dislay server suffixes in server search page

  • stop installer when fail

  • webui: remove moot error from webui build

  • webui: use API call ca_is_enabled instead of enable_ra env variable.

  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

  • cookie parser: do not fail on cookie with empty value

  • fix incorrect name of ipa-winsync-migrate command in help

  • Become IPA 4.3.1

Petr Špaček (15)#

  • DNSSEC: Improve error reporting from ipa-ods-exporter

  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP

  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND

  • DNSSEC: remove obsolete TODO note

  • DNSSEC: add debug mode to

  • DNSSEC: logging improvements in ipa-ods-exporter

  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP

  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP

  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command

  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal

  • DNSSEC: Log debug messages at log level DEBUG

  • Fix –auto-reverse option in –unattended mode.

  • Fix dns_is_enabled() API command to throw exceptions as appropriate

  • Fix DNS zone overlap check to allow ipa-replica-install to work

  • Fix ipa-adtrust-install to always generate SRV records with FQDNs

Simo Sorce (6)#

  • Use only AES enctypes by default

  • Always verify we have a valid ldap context.

  • Improve keytab code to select the right principal.

  • Convert ipa-sam to use the new getkeytab control

  • Allow admins to disable preauth for SPNs.

  • Allow to specify Kerberos authz data type per user

Stanislav Laznicka (4)#

  • Listing and cleaning RUV extended for CA suffix

  • Automatically detect and remove dangling RUVs

  • Cosmetic changes to the code

  • Fixes minor issues

Sumit Bose (1)#

  • ipa-kdb: map_groups() consider all results

Thierry Bordaz (2)#

  • configure DNA plugin shared config entries to allow connection with GSSAPI

  • DS deadlock when memberof scopes topology plugin updates

Timo Aaltonen (6)#

  • Use HTTPD_USER in

  • Move freeipa certmonger helpers to libexecdir.

  • ipa_restore: Import only FQDN from ipalib.constants

  • ipaplatform: Move remaining user/group constants to ipaplatform.constants.

  • Use ODS_USER/ODS_GROUP in opendnssec_conf.template

  • Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (4)#

  • py3: Remove py3 incompatible exception handling

  • ipa-adtrust-install: Allow dash in the NETBIOS name

  • spec: Bump required sssd version to 1.13.3-5

  • adtrustinstance: Make sure smb.conf exists