Jump to: navigation, search


Release date Released 2016-07-22

The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository

Highlights in 4.3.2


  • added possibility to list/clean dangling RUV records for o=ipaca suffix #4987
  • --domain-level of `ipa-server-install` was deprecated #5907

Bug fixes

  • fixed upgrade bug on servers without CA #5958
  • fixed installation of server with DNS if A record didn't exist #5962
  • fixed issue where A/AAAA DNS records were not created for CA #5966
  • fixed installation of CA less replica on domain level 1 #5721
  • fixed forward zone conflicts with automatic empty zones from BIND #5710
  • fixed race condition with multiple simultaneous request from the same principal #5653


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.3.2

Abhijeet Kasurde (2)

  • Added description related to 'status' in ipactl man page
  • Updated ipa command man page

Alexander Bokovoy (1)

  • otptoken: support Python 3 for the qr code

David Kupka (3)

  • man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
  • installer: positional_arguments must be tuple or list of strings
  • installer: index() raises ValueError

Florence Blanc-Renaud (2)

  • Do not allow installation in FIPS mode
  • Fix session cookies

Fraser Tweedale (5)

  • caacl: correctly handle full user principal name
  • Prevent replica install from overwriting cert profiles
  • Detect and repair incorrect caIPAserviceCert config
  • upgrade: do not try to start CA if not configured
  • Move normalize_hostname to where it is expected

Jan Cholasta (4)

  • spec file: bump minimum required pki-core version
  • build: fix client-only build
  • makeapi: use the same formatting for `int` and `long` values
  • replica install: do not set CA renewal master flag

Lenka Doudova (2)

  • WebUI: Test creating user without private group
  • Test fix: Cleanup for host certificate

Martin Babinsky (1)

  • replica-prepare: do not add PTR records if there is no IPA managed reverse zone

Martin Bašti (18)

  • Add missing pre_common_callback to stageuser_add
  • Revert "ipatests: extend permission plugin test with new expected output"
  • make: fail when ACI.txt or API.txt differs from values in source code
  • Upgrade: always start CA
  • Set proper zanata project-version
  • Translations: remove deprecated locale configuration
  • Test: fix failing host_test
  • Fix: exceptions in DNS tests should not have data attribute
  • Translations: update translations for IPA 4.3.x
  • Fix resolve_rrsets: RRSet is not hashable
  • Translations: update ipa-4-3 translations
  • Revert "Switch /usr/bin/ipa to Python 3"
  • Use python2 for ipa cli
  • Replica promotion: use the correct IPA domain for replica
  • CA replica promotion: add proper CA DNS records
  • CA replica promotion: fix forgotten import
  • Fix replica install with CA
  • Use copy when replacing files to keep SELinux context

Milan Kubík (3)

  • ipatests: fix for change_principal context manager
  • ipatests: Add test case for requesting a certificate with full principal.
  • spec: Add python-sssdconfig dependency for python-ipatests package

Oleg Fayans (9)

  • Added a kdestroy call to clean ccache at master/client uninstallation
  • Added 5 more tests to Replica Promotion testsuite
  • Fixed a failure in legacy_client tests
  • Add test if replica is working after domain upgrade
  • Improve reporting of failed tests in topology test suite
  • Bugfixes in managed topology tests
  • A workaround for ticket N 5348
  • Increased certmonger timeout
  • Test for incorrect client domain

Pavel Vomacka (3)

  • Add X-Frame-Options and frame-ancestors options
  • Add 'skip overlap check' checkbox into add zone dialog
  • Add 'skip overlap check' checkbox to the add dns forward zone dialog

Petr Viktorin (23)

  • dns plugin: Fix zone normalization under Python 3
  • sysrestore: Iterate over a list of dict keys
  • test_xmlrpc: Use absolute imports
  • xmlrpc_test: Rename exception instance before working with it
  • radiusproxy plugin: Use str(error) rather than error.message
  • xmlrpc_test: Expect bytes rather than strings for binary attributes
  • ipalib.rpc: Send base64-encoded data as string under Python 3
  • range plugin tests: Use bytes with MockLDAP under Python 3
  • radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
  • certprofile plugin: Use binary mode for file with binary data
  • test_add_remove_cert_cmd: Use bytes for base64.b64encode()
  • Switch /usr/bin/ipa to Python 3
  • Fix remaining relative import and enable Pylint check
  • ipalib.cli: Improve reporting of binary values in the CLI
  • test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate'
  • ipaldap: Keep attribute names as text, not bytes
  • ipapython.secrets.kem: Use ConfigParser from six.moves
  • test_topology_plugin: Don't rely on order of an attribute's values
  • test_rpcserver: Expect updated error message under Python 3
  • ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
  • test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
  • ipaldap: Convert dict items to list before iterating
  • test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView

Petr Voborník (2)

  • mod_auth_gssapi: enable unique credential caches names
  • Become IPA 4.3.2

Petr Špaček (30)

  • Remove function ipapython.ipautil.host_exists()
  • Extend installers with --forward-policy option
  • Move automatic empty zone list into ipapython.dnsutil and make it reusable
  • Add assert_absolute_dnsname() helper to ipapython.dnsutil
  • Move function is_auto_empty_zone() into ipapython.dnsutil
  • Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
  • Add function ipapython.dnsutil.inside_auto_empty_zone()
  • Auto-detect default value for --forward-policy option in installers
  • DNS: Fix upgrade - master to forward zone transformation
  • DNS installer: accept --auto-forwarders option in unattended mode
  • Batch command: avoid accessing potentially undefined context.principal
  • Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
  • Use root_logger for verify_host_resolvable()
  • Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
  • Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
  • Add ipaDNSVersion option to dnsconfig* commands and use new attribute
  • DNS upgrade: separate backup logic to make it reusable
  • Add function ipapython.dnsutil.related_to_auto_empty_zone()
  • DNS upgrade: change forwarding policy to = only for conflicting forward zones
  • DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used
  • DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used
  • DNS: Warn if forwarding policy conflicts with automatic empty zones
  • DNS: Fix realm domains integration with DNS zone add.
  • client: Share validator and domain name normalization with server install
  • DNS: Fix tests for realm domains integration with DNS zone add
  • client-install: do not fail if DNS times out during DNS update generation
  • Use NSS for name->resolution in IPA installer
  • DNS: Remove unnecessary DNS check from installer
  • Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
  • Fix internal errors in host-add and other commands caused by DNS resolution

Stanislav Laznicka (9)

  • replica-manage: fail nicely when DM psswd required
  • ipa-replica-manage refactoring
  • abort-clean/list/clean-ruv now work for both suffixes
  • Moved password check from clean_dangling_ruv
  • Fix to clean-dangling-ruv for single CA topologies
  • Added pyusb as a dependency
  • Deprecated the domain-level option in ipa-server-install
  • fixes premature sys.exit in ipa-replica-manage del
  • Remove dangling RUVs even if replicas are offline

Thierry Bordaz (1)

  • Make sure ipapwd_extop takes precedence over passwd_modify_extop