The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 are available in the official FreeIPA CentOS7 COPR repository

Highlights in 4.3.1#

Enhancements#

  • FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589

  • Directory Server is configured with “default” cipher suite instead of “+all” #5684

  • topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647

  • MS-PAC extension was made optional for users #2579, currently without UI #5752

  • added option to disable preauth for service principal names. Configurable via ipaconfigstring value “KDC:Disable Default Preauth for SPNs” in server config. #3860

  • improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026

  • 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740

  • `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411

  • deprecated keytab_set extended operation was removed from ipasam module #5495

  • an option was added to Web UI to allow to specify GID number in user adder dialog

  • improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544

  • FreeIPA python packages were made independent on architecture(noarch) #5596

  • AD users are now shown as members of IPA groups when external group is added to IPA group #4403

Bug fixes#

  • fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612

  • fixed bug where ipa-server-install didn’t stop on error and subsequently reported incorrect root cause #2539

  • fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412

  • fixed issue with vault-archive command sometimes not working #5538

  • fixed regression in Web UI where required indicator ‘*’ was missing on Global Password Policy page, priority field #5553

  • fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding –auto-reverse and –allow-zone-overlap options #5563

  • fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564

  • fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575

  • fixed rare bug in connection handling which can cause a crash of KDC #5577

  • fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583

  • fixed not displaying suffixes in IPA servers table in Web UI #5609

  • fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637

  • fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.3.0#

Abhijeet Kasurde (1)#

  • Fixed login error message box in LoginScreen page

Alexander Bokovoy (1)#

  • slapi-nis: update configuration to allow external members of IPA groups

Christian Heimes (3)#

  • Require Dogtag 10.2.6-13 to fix KRA uninstall

  • Modernize mod_nss’s cipher suites

  • Move user/group constants for PKI and DS into ipaplatform

David Kupka (19)#

  • installer: Propagate option values from components instead of copying them.

  • installer: Fix logic of reading option values from cache.

  • ipa-dns-install: Do not check for zone overlap when DNS installed.

  • ipa-replica-prepare: Add ‘–auto-reverse’ and ‘–allow-zone-overlap’ options

  • installer: Change reverse zones question to better reflect reality.

  • Fix: Use unattended parameter instead of options.unattended

  • CI: Add ‘2-connected’ topology generator.

  • CI: Add simple replication test in 2-connected topology.

  • CI: Add test for 2-connected topology generator.

  • CI: Fix pep8 errors in 2-connected topology generator

  • CI: add empty topology test for 2-connected topology generator

  • CI: Add double circle topology.

  • CI: Add replication test utilizing double-circle topology.

  • CI: Add test for double-circle topology generator.

  • CI: Make double circle topology python3 compatible

  • upgrade: Match whole pre/post command not just basename.

  • dsinstance: add start_tracking_certificates method

  • httpinstance: add start_tracking_certificates method

  • Look up HTTPD_USER’s UID and GID during installation.

Filip Skola (3)#

  • Refactor test_user_plugin, use UserTracker for tests

  • Refactor test_replace

  • Refactor test_attr

Fraser Tweedale (1)#

  • Do not decode HTTP reason phrase from Dogtag

Jan Cholasta (13)#

  • ipalib: assume version 2.0 when skip_version_check is enabled

  • ipapython: remove default_encoding_utf8

  • ipapython: port p11helper C code to Python

  • ipapython: use python-cryptography instead of libcrypto in p11helper

  • spec file: package python-ipalib as noarch

  • cert renewal: import all external CA certs on IPA CA cert renewal

  • replica install: validate DS and HTTP server certificates

  • replica promotion: fix AVC denials in remote connection check

  • test_ipagetkeytab: fix missing import

  • cacert install: fix trust chain validation

  • client: stop using /etc/pki/nssdb

  • certdb: never use the -r option of certutil

  • daemons: remove unused erroneous _ipap11helper import

Ludwig Krispenz (1)#

  • prevent moving of topology entries out of managed scope by modrdn operations

Lukáš Slebodník (1)#

  • IPA-SAM: Fix build with samba 4.4

Martin Babinsky (21)#

  • raise more descriptive Backend connection-related exceptions

  • prevent crash of CA-less server upgrade due to absent certmonger

  • use FFI call to rpmvercmp function for version comparison

  • tests for package version comparison

  • fix Py3 incompatible exception instantiation in replica install code

  • ipa-csreplica-manage: remove extraneous ldap2 connection

  • IPA upgrade: move replication ACIs to the mapping tree entry

  • uninstallation: more robust check for master removal from topology

  • correctly set LDAP bind related attributes when setting up replication

  • disable RA plugins when promoting a replica from CA-less master

  • fix standalone installation of externally signed CA on IPA master

  • reset ldap.conf to point to newly installer replica after promotion

  • always start certmonger during IPA server configuration upgrade

  • upgrade: unconditional import of certificate profiles into LDAP

  • CI tests: use old schema when testing hostmask-based sudo rules

  • use LDAPS during standalone CA/KRA subsystem deployment

  • test_cert_plugin: use only first part of the hostname to construct short name

  • only search for Kerberos SRV records when autodiscovery was requested

  • spec: add conflict with bind-chroot to freeipa-server-dns

  • spec: require python-cryptography newer than 0.9

  • otptoken-add: improve the robustness of QR code printing

Martin Bašti (36)#

  • Fix DNS tests: dns-resolve returns warning

  • Fix version comparison

  • Fix: replace mkdir with chmod

  • Allow to used mixed case for sysrestore

  • Upgrade: Fix upgrade of NIS Server configuration

  • DNSSEC test: fix adding zones with –skip-overlap-check

  • DNSSEC CI: add missing ldns-utils dependency

  • CI test: fix regression in task.install_kra

  • Warn about potential loss of CA, KRA, DNSSEC during uninstall

  • Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter

  • Exclude o=ipaca subtree from Retro Changelog (syncrepl)

  • Fix DNSSEC test: add glue record

  • DNSSEC CI: fix zone delegations

  • make lint: use config file and plugin for pylint

  • Disable new pylint checks

  • Py3: do not use dict.iteritems()

  • upgrade: fix config of sidgen and extdom plugins

  • trusts: use ipaNTTrustPartner attribute to detect trust entries

  • Warn user if trust is broken

  • fix upgrade: wait for proper DS socket after DS restart

  • Revert “test: Temporarily increase timeout in vault test.”

  • Pylint: add missing attributes of errors to definitions

  • fix permission: Read Replication Agreements

  • Make PTR records check optional for IPA installation

  • Fix connections to DS during installation

  • pylint: supress false positive no-member errors

  • CI: allow customized DS install test to work with domain levels

  • fix suspicious except statements

  • Configure 389ds with “default” cipher suite

  • krb5conf: use ‘true’ instead of ‘yes’ for forwardable option

  • stageuser-activate: Normalize manager value

  • Remove redundant parameters from CS.cfg in dogtaginstance

  • Fix broken trust warnings

  • spec: Add missing dependencies to python*-ipalib package

  • SPEC: do not run upgrade when ipa server is not installed

  • Fix stageuser-activate - managers test

Michael Simacek (1)#

  • Fix bytes/string handling in rpc

Milan Kubík (6)#

  • ipatests: Roll back the forwarder config after a test case

  • ipatests: Fix configuration problems in dns tests

  • ipatests: Make the A record for hosts in topology conditional

  • ipatests: fix the install of external ca

  • ipatests: Add missing certificate profile fixture

  • ipatests: extend permission plugin test with new expected output

Oleg Fayans (17)#

  • CI tests: Enabled automatic creation of reverse zone during master installation

  • CI tests: Added domain realm as a parameter to master installation in integration tests

  • Fixed install_ca and install_kra under domain level 0

  • fixed an issue with master installation not creating reverse zone

  • Enabled recreation of test directory in apply_common_fixes function

  • Updated connect/disconnect replica to work with both domainlevels

  • Removed –ip-address option from replica installation

  • Removed messing around with resolv.conf

  • Integration tests for replica promotion feature

  • Enabled setting domain level explicitly in test class

  • Removed a constantly failing call to prepare_host

  • Made apply_common_fixes call at replica installation independent on domain_level

  • Workaround for ticket 5627

  • Added copyright info to replica promotion tests

  • rewrite a misprocessed teardown_method method as a custom decorator

  • Reverted changes in mh fixture causing some tests to fail

  • Fixed a bug with prepare_host failing upon existing ipatests folder

Pavel Vomacka (4)#

  • Add pan and zoom functionality to the topology graph

  • Nodes stay fixed after initial animation.

  • Add field for group id in user add dialog

  • Resize topology graph canvas according to window size

Petr Viktorin (23)#

  • Use explicit truncating division

  • Don’t index exceptions directly

  • Use print_function future definition wherever print() is used

  • Alias “unicode” to “str” under Python 3

  • Avoid builtins that were removed in Python 3

  • dnsutil: Rename __nonzero__ to __bool__

  • Remove deprecated contrib/RHEL4

  • make-lint: Allow running pylint –py3k to detect Python3 issues

  • Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)

  • test_parameters: Ignore specific error message

  • ipaldap, ldapupdate: Encoding fixes for Python 3

  • ipautil.run, kernel_keyring: Encoding fixes for Python 3

  • tests: Use absolute imports

  • ipautil: Use mode ‘w+’ in write_tmp_file

  • test_util: str/bytes check fixes for Python 3

  • p11helper: Port to Python 3

  • cli: Don’t encode/decode for stdin/stdout on Python 3

  • Package python3-ipaclient

  • migration.py: Remove stray get_ipa_basedn import

  • Move get_ipa_basedn from ipautil to ipadiscovery

  • ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()

  • ipapython.sysrestore: Use str methods instead of functions from the string module

  • ipalib.x809: Accept bytes for make_pem

Petr Voborník (11)#

  • webui: add examples to network address validator error message

  • webui: pwpolicy cospriority field was marked as required

  • spec: do not require arch specific ipalib package from noarch packages

  • webui: dislay server suffixes in server search page

  • stop installer when setup-ds.pl fail

  • webui: remove moot error from webui build

  • webui: use API call ca_is_enabled instead of enable_ra env variable.

  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

  • cookie parser: do not fail on cookie with empty value

  • fix incorrect name of ipa-winsync-migrate command in help

  • Become IPA 4.3.1

Petr Špaček (15)#

  • DNSSEC: Improve error reporting from ipa-ods-exporter

  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP

  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND

  • DNSSEC: remove obsolete TODO note

  • DNSSEC: add debug mode to ldapkeydb.py

  • DNSSEC: logging improvements in ipa-ods-exporter

  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP

  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP

  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command

  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal

  • DNSSEC: Log debug messages at log level DEBUG

  • Fix –auto-reverse option in –unattended mode.

  • Fix dns_is_enabled() API command to throw exceptions as appropriate

  • Fix DNS zone overlap check to allow ipa-replica-install to work

  • Fix ipa-adtrust-install to always generate SRV records with FQDNs

Simo Sorce (6)#

  • Use only AES enctypes by default

  • Always verify we have a valid ldap context.

  • Improve keytab code to select the right principal.

  • Convert ipa-sam to use the new getkeytab control

  • Allow admins to disable preauth for SPNs.

  • Allow to specify Kerberos authz data type per user

Stanislav Laznicka (4)#

  • Listing and cleaning RUV extended for CA suffix

  • Automatically detect and remove dangling RUVs

  • Cosmetic changes to the code

  • Fixes minor issues

Sumit Bose (1)#

  • ipa-kdb: map_groups() consider all results

Thierry Bordaz (2)#

  • configure DNA plugin shared config entries to allow connection with GSSAPI

  • DS deadlock when memberof scopes topology plugin updates

Timo Aaltonen (6)#

  • Use HTTPD_USER in dogtaginstance.py

  • Move freeipa certmonger helpers to libexecdir.

  • ipa_restore: Import only FQDN from ipalib.constants

  • ipaplatform: Move remaining user/group constants to ipaplatform.constants.

  • Use ODS_USER/ODS_GROUP in opendnssec_conf.template

  • Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (4)#

  • py3: Remove py3 incompatible exception handling

  • ipa-adtrust-install: Allow dash in the NETBIOS name

  • spec: Bump required sssd version to 1.13.3-5

  • adtrustinstance: Make sure smb.conf exists