The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.2#

Known Issues#

  • ipa-ca-install fails on replica when master is CA-less (#6226).

  • ipa cert-find command doesn’t return revocation reason in output, Web UI then cannot display proper state of a certificate (#6269).

Bug fixes#

FreeIPA 4.4.2 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 40 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets#

  • #4802 Investigate & document if TLS 1.2 is properly supported

  • #5557 Strict dependency of optional package pam_krb5

  • #5644 dnsrecord-del incompatible with admintools < ver 3.2 and server >= ver 3.2

  • #5725 failed ipa-server-install –uninstall returns exit code 0

  • #5754 ipa-client-install man page has incorrect data on hostname

  • #5755 test_0006_service_show in test_cert_plugin uses global variable wrong

  • #5809 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes

  • #5814 Change IP address validation errors to warnings [support for cloud environments]

  • #5818 webui: “Restore” option is not available for a preserved user in detailed info

  • #5822 Cannot create user with username exactly 255 charaters long

  • #5855 method get_primary_key_from_dn does not work for netgroups properly

  • #6057 adding two way non transitive(external) trust displays internal error on the console

  • #6095 ipa command stuck forever on higher versioned client with lower versioned server

  • #6155 [tracker] Failed to configure CA instance

  • #6190 Regressions found by test: ipa.test_ipalib.test_parameters

  • #6203 dnsrecord-add does not prompt for missing record parts internactively

  • #6212 Pretty-print mismatches in tests

  • #6216 webui: cert_revoke should use –cacn to set correct CA when revoking certificate

  • #6221 Certificate revocation in service-del and host-del isn’t aware of Sub CAs

  • #6230 installer: external CA step 1 successful but reports ScriptError

  • #6238 Unable to view certificates issued by Sub CA in Web UI

  • #6256 [tracker] Revoke certificate on lightweight CA deletion

  • #6257 Implement ca-enable/disable commands.

  • #6260 cert-request: use better error message when CA is disabled

  • #6273 Command autocompletion without installed server prints an error message

  • #6279 CLI always sends default command version

  • #6285 Tests: Regex errors in trust tests

  • #6288 ipa-certupdate fails with “CA is not configured”

  • #6294 TypeError in installer

  • #6296 client-install with IPv6 address fails on link-local address (always)

  • #6300 Remove the assertion of incorrect return code from replica_promotion tests

  • #6301 Fix replica_promotion tests

  • #6304 cert-find –certificate does not work for certificates not in LDAP

  • #6306 Add cleanup to integration trust tests

  • #6309 cert-request does not raise error when CSR does not match profile pattern

  • #6312 Failing ldap backend test because service not found

  • #6313 Failing test in test_ipalib/test_plugable

  • #6322 Add krb5kdc restart to integration trust tests

  • #6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap

  • #6326 Update host test with ipa-join

  • #6327 regression in `ipa cert-revoke –help`

  • #6328 ipa trust-fetch-domains throws internal error

  • #6329 WinSync users who have First.Last casing creates users who can have their password set

  • #6330 Invalid description for –hostname option in ipa-server-install man page

  • #6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in outoftree suite

  • #6338 [Tests] Remove SSSD restart from integration tests

  • #6341 Certificate UI on details page shows add button even if user doesn’t have write right

  • #6349 Tests: incomplete cleanup of CA plugin XMLRPC tests

  • #6366 Extend CA ACL tests for test cases with CSR containing Subject Alt Name

  • #6368 otpd doesn’t properly handle closing of ldap connection

  • #6373 test_util.test_assert_deepequal fails

  • #6382 Test: disable test for wrong client domain in domain level 0

  • #6385 ipa-server-install –external-ca fails with AttributeError

  • #6390 python-dns 1.15.0 breaks FreeIPA

  • #6391 make FreeIPA codebase ready for pylint in Fedora rawhide

  • #5791 CA fails to start after doing ipa-ca-install –external-ca

Detailed changelog since 4.4.1#

Christian Heimes (1)#

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 cgit #6278

David Kupka (2)#

  • UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling cgit #6385

  • schema cache: Store and check info for pre-schema servers cgit #6095

Florence Blanc-Renaud (2)#

  • Fix regression introduced in ipa-certupdate cgit #6288

  • Fix ipa-certupdate for CA-less installation cgit #6288

Fraser Tweedale (10)#

  • Add commentary about CA deletion to plugin doc cgit #6256

  • spec: require Dogtag >= 10.3.5-6 cgit #6256

  • cert-request: raise error when request fails cgit #6309

  • Make host/service cert revocation aware of lightweight CAs cgit #6221

  • cert-request: raise CertificateOperationError if CA disabled cgit #6260

  • Use Dogtag REST API for certificate requests cgit #3473, #6260

  • Add HTTPRequestError class cgit #3473, #6260

  • Allow Dogtag RestClient to perform requests without logging in cgit #3473, #6260

  • Add ca-disable and ca-enable commands cgit #6257

  • Track lightweight CAs on replica installation cgit #6019

Jan Cholasta (8)#

  • test_plugable: update the rest of test_init cgit #6313

  • dns: re-introduce –raw in dnsrecord-del cgit #5644

  • client: remove hard dependency on pam_krb5 cgit #5557

  • cert: fix cert-find –certificate when the cert is not in LDAP cgit #6304

  • dns: fix crash in interactive mode against old servers cgit #6203

  • dns: prompt for missing record parts in CLI cgit #6203

  • dns: normalize record type read interactively in dnsrecord_add cgit #6203

  • cli: use full name when executing a command cgit #6279

Lenka Doudova (11)#

  • Tests: Certificate revocation cgit #6349

  • Tests: Remove invalid certplugin tests cgit #6349

  • Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap cgit #6323

  • Tests: Fix host attributes in ipa-join host test cgit #6326

  • Tests: Update host test with ipa-join cgit #6326

  • Tests: Add krb5kdc.service restart to integration trust tests cgit #6322

  • Tests: Remove SSSD restart from integration tests cgit #6338

  • Tests: Fix integration sudo tests setup and checks cgit #6262

  • Tests: Fix failing ldap.backend test cgit #6312

  • Tests: Add cleanup to integration trust tests cgit #6306

  • Tests: Fix regex errors in integration trust tests cgit #6285

Martin Babinsky (13)#

  • disable warnings reported by pylint-1.6.4-1 cgit #6391

  • mod_nss: use more robust quoting of NSSNickname directive cgit #5809

  • Move character escaping function to ipautil cgit #5809

  • Make Continuous installer continuous only during execution phase cgit #5725

  • use separate exception handlers for executors and validators cgit #5725

  • ipa passwd: use correct normalizer for user principals cgit #6329

  • trust-fetch-domains: contact forest DCs when fetching trust domain info cgit #6328

  • netgroup: avoid extraneous LDAP search when retrieving primary key from DN cgit #5855

  • ldapupdate: Use proper inheritance in BadSyntax exception cgit #6294

  • raise ValidationError when deprecated param is passed to command cgit #6190

  • Always fetch forest info from root DCs when establishing one-way trust cgit #6057

  • factor out `populate_remote_domain` method into module-level function cgit #6057

  • Always fetch forest info from root DCs when establishing two-way trust cgit #6057

Martin Basti (17)#

  • test_text: add test ipa.pot file for tests cgit #6333

  • Test: dont use global variable for iteration in test_cert_plugin cgit #5755

  • Use constant for user and group patterns cgit #5822

  • Fix regexp patterns in parameters to not enforce length cgit #5822

  • Add check for IP addresses into DNS installer cgit #5814

  • Fix missing config.ips in promote_check cgit #5814

  • Abstract procedures for IP address warnings cgit #5814

  • Catch DNS exceptions during emptyzones named.conf upgrade cgit #6205

  • Start named during configuration upgrade. cgit #6205

  • Tests: extend DNS cmdline tests with lowercased record type cgit #6203

  • Show warning when net/broadcast IP address is used in installer cgit #5814

  • Allow multicast addresses in A/AAAA records cgit #5814

  • Allow broadcast ip addresses cgit #5814

  • Allow network ip addresses cgit #5814

  • Fix parse errors with link-local addresses cgit #6296

  • Fix ScriptError to always return string from __str__ cgit #6294

  • Set zanata project-version fo 4.4 branch cgit

Milan Kubík (3)#

  • ipatests: Implement tests with CSRs requesting SAN cgit #6366

  • ipatests: Fix name property on a service tracker cgit #6366

  • ipatests: provide context manager for keytab usage in RPC tests cgit #6366

Nathaniel McCallum (1)#

  • Properly handle LDAP socket closures in ipa-otpd cgit #6368

Oleg Fayans (4)#

  • Test: disabled wrong client domain tests for domlevel 0 cgit #6382

  • Changed addressing to the client hosts to be replicas cgit #6287

  • Several fixes in replica_promotion tests cgit #6301

  • Removed incorrect check for returncode cgit #6300

Petr Spacek (1)#

  • Fix compatibility with python-dns 1.15.0 cgit #6390

Pavel Vomacka (5)#

  • WebUI: hide buttons in certificate widget according to acl cgit #6341

  • Add ‘Restore’ option to action dropdown menu cgit #5818

  • WebUI add support for sub-CAs while revoking certificates cgit #6216

  • WebUI: Fix showing certificates issued by sub-CA cgit #6238

  • Add support for additional options taken from table facet cgit #6238

Stanislav Laznicka (5)#

  • Make installer quit more nicely on external CA installation cgit #6230

  • Fix test_util.test_assert_deepequal test cgit #6373

  • Pretty-print structures in assert_deepequal cgit #6212

  • Remove update_from_dict() method cgit #6311

  • Updated help/man information about hostname cgit #5754

Tomas Krizek (4)#

  • Keep NSS trust flags of existing certificates cgit #5791

  • Update ipa-server-install man page for hostname cgit #6330

  • Add help info about certificate revocation reasons cgit #6327

  • Don’t show error messages in bash completion cgit #6273