The FreeIPA team would like to announce FreeIPA 4.5.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.

Highlights in 4.5.1#

Enhancements#

  • HBAC rule names can be renamed (#6784)

HBAC rules can now be renamed.

  • SUDO rules can be renamed (#2466)

The attribute “rdn_is_primary_key” of the LDAPObject class was renamed to “allow_rename” because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudo rules can now be renamed.

Known Issues#

Bug fixes#

FreeIPA 4.5.1 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 90 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #6950 ipa-server-install –uninstall fails with ERROR ‘tuple’ object has no attribute ‘append’

  • #6934 ipa-kra-install timeouts on replica

  • #6925 KRA installation fails on server that was originally installed as CA-less

  • #6924 Fix SELinux contex of http.keytab during upgrade

  • #6923 Update warning message when KRA installation fails

  • #6922 Update man page of ipa-kra-install

  • #6921 ipa-server-install with external CA fails in issue_selfsigned_pkinit_certs

  • #6920 Upgrade from ipa-4.1 fails when enabling KDC proxy

  • #6916 ipa-client-install: extra space in pkinit_anchors definition

  • #6911 error adding authenticator indicators to host

  • #6907 ipa vault-add raises TypeError

  • #6904 pki_client_database_password is shown in ipaserver-install.log

  • #6902 ipa restore fails to restore IPA user

  • #6900 otptoken-add-yubikey KeyError: ‘ipatokenotpdigits’

  • #6899 ipa vault: archival and retrival is broken in IPA 4.5.0

  • #6897 ipa-server-install with external-ca fails in FIPS mode

  • #6896 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches

  • #6895 ipa-kra-install fails when primary KRA server has been decommissioned

  • #6894 DNS forwarder address added during IPA installation shouldn’t add IP-Address ‘0.0.0.0’

  • #6892 ipa-[ca|kra]-install with invalid DM password break replica

  • #6883 ipa cert-show raises stack traces when –certificate-out=/tmp

  • #6881 ipa.ipaserver.install.plugins.adtrust.update_tdo_gidnumber: ERROR Default SMB Group not found

  • #6878 Replica install fails during migration from older IPA master

  • #6876 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA

  • #6875 Correct wheel package dependencies

  • #6872 ipa server install fails with –external-ca option

  • #6869 CA-less pkinit not installable with –pkinit-cert-file option

  • #6866 ipa trust-fetch-domains: ValidationError: invalid ‘Credentials’: Missing credentials for cross-forest communication

  • #6864 minor spelling mistake #2

  • #6862 WebUI cert auth fails after ipa-adtrust-install

  • #6861 uninstall ipa client automount failed with RuntimeWarning

  • #6860 Add the name of URL parameter which will be check for username during cert login

  • #6859 Console output message while adding trust should be mapped with texts changed in Samba.

  • #6854 CA less setup is broken

  • #6853 Conversion of CA-less server to CA fails on CA instance spawn

  • #6850 Use /usr/bin/env python for ipaclient via pypi / macOS fixes for ipaclient

  • #6846 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA

  • #6839 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password

  • #6838 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host

  • #6833 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap

  • #6831 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors

  • #6830 Configure local PKINIT on DL0 or when ‘–no-pkinit’ option is used

  • #6828 error: implicit declaration of function ‘sss_nss_getlistbycert’

  • #6827 ipasam: gidNumber attribute is not created in the trusted domain entry

  • #6826 IdM Server Smart Cards: extdom: improve cert request

  • #6825 Allow erasing ipaDomainResolutionOrder attribute

  • #6824 Add workaround for pki_pin for FIPS

  • #6823 Bump packages versions for certificate login

  • #6821 Deadlock between topology and schema-compat plugins

  • #6819 Login into WebUI using certificate does not work - mod_wsgi returns error

  • #6817 4.5 replica install fails against <4.5 master due to rejected PKINIT cert request

  • #6816 BUILD_IPA_CERTAUTH_PLUGIN broke configure –disable-server

  • #6813 Renewal of IPA RA fails on replica

  • #6812 WebUI: in self-service Vault menu item is shown even if KRA is not installed

  • #6808 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page

  • #6807 Server CA-less impossible option check

  • #6806 CA-less installation fails on publishing CA certificate

  • #6803 Master tree fails to install

  • #6801 Remove pkinit-related options from server/replica-install on DL0

  • #6799 ipa-replica-install with DL0 fails to get annonymous keytab

  • #6798 Changes to ipa-run-tests broke helper test tools

  • #6797 As a ID user I cannot call a command with –rights option

  • #6795 man ipa-cacert-manage install needs clarification

  • #6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT

  • #6787 Make KRA cert cache concurrency safe

  • #6786 make sure that runtime hostname result is consistent with the configuration in AD trust

  • #6784 [RFE] HBAC rule names command rename

  • #6777 ipa-replica-install can’t install replica file produced by ipa-replica-prepare on 4.5

  • #6775 [ipalib/rpc.py] - “maximum recursion depth exceeded” with ipa vault commands

  • #6773 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated

  • #6772 WebUI: Adding certificate mapping data using certificate fails

  • #6771 Set GssProxy options to enable caching of ldap tickets

  • #6768 debian: daemons/dnssec/*.service.in hardcode user/groupnames

  • #6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica

  • #6748 CLI doesn’t work after ipa-restore

  • #6743 [copr] Replica install failing

  • #6716 cert-find does not find all certificates without sizelimit=0

  • #6715 Uninstall fails with No such file or directory: ‘/var/run/ipa/services.list’

  • #6697 [Tracker] FIPS mode for trust to AD feature

  • #6688 [tracker] ipa-replica-install fails with 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca

  • #6671 Privilege separation in IPA framework broke trust-add

  • #6641 RPC client should use HTTP persistent connection

  • #6618 “Truncated search results” pop-up appears in user details in WebUI

  • #6549 replica install against IPA v3 master fails with ACIError

  • #6494 Enumerate all available request type options in ipa cert-request help

  • #6404 Need to have validation for idrange names

  • #6370 [RFE] Web UI must check OCSP and CRL during smartcard login

  • #6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits

  • #6183 ipa-replica-install may suggest –force-join option which does not exist

  • #5959 The framework needs to run in a spearate process

  • #5952 Add git commit template

  • #5799 Errors from AD when trying to sign ipa.csr, conflicting template on

  • #5734 cert-request: PKCS #10 only is supported but `–request-type’ option suggests otherwise

  • #5313 [RFE] disable last successful authentication by default in ipa.

  • #4639 ipa-server-install does not clean /etc/httpd/alias

  • #3242 [RFE] IPA WebUI login for AD Trusted User fails

  • #2466 [RFE] Support SUDO command rename

Detailed changelog since 4.5.0#

Alexander Bokovoy (5)#

  • trust: always use oddjobd helper for fetching trust information commit

  • ipaserver/dcerpc: unify error processing commit #6859

  • adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786

  • server: make sure we test for sss_nss_getlistbycert commit #6828

  • ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797

Abhijeet Kasurde (2)#

Christian Heimes (21)#

  • Correct PyPI package dependencies commit #6875

  • Vault: Explicitly default to 3DES CBC commit #6899

  • Use entry_points for ipa CLI commit #6653, #6850

  • Skip test_session_storage in ipaclient unittest mode commit

  • Add make devcheck for developers commit #6604

  • Python 3: Fix session storage commit

  • Use Custodia 0.3.1 features commit

  • Simplify KRA transport cert cache commit #6787

  • Constrain wheel package versions commit #6468

  • Move remaining util functions to tasks module commit #6798

  • Ship ipatests.pytest_plugins.integration commit #6798

  • Move function run_repeatedly to tasks module commit #6798

  • Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798

  • Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798

  • Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798

  • Move config module to ipatests.pytest_plugins.integration.config commit #6798

  • Move helper code for integration plugin commit #6798

  • Increase Apache HTTPD’s default keep alive timeout commit

  • Add debug logging for keep-alive commit

  • Use connection keep-alive commit #6641

  • Add options to run only ipaclient unittests commit #6517

David Kupka (10)#

  • ipapython.ipautil.run: Add option to set umask before executing command commit #6831

  • otptoken-add-yubikey: When –digits not provided use default value commit #6900

  • Bump version of ipa.conf file commit #6860

  • Create system users for FreeIPA services during package installation commit #6743

  • WebUI: cert login: Configure name of parameter used to pass username commit #6860

  • httpinstance.disable_system_trust: Don’t fail if module ‘Root Certs’ is not available commit #6803

  • spec file: Bump requires to make Certificate Login in WebUI work commit #6823

  • rpcserver.login_x509: Actually return reply from __call__ method commit #6819

  • Create temporaty directories at the begining of uninstall commit #6715

  • ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738

felipe (1)#

  • Fixing replica install: fix ldap connection in domlvl 0 commit #6549

Felipe Volpone (1)#

  • Fixing adding authenticator indicators to host commit #6911

Fabiano Fidêncio (1)#

  • Allow erasing ipaDomainResolutionOrder attribute commit #6825

Florence Blanc-Renaud (16)#

  • ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925

  • ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895

  • ipa-server-install: fix uninstall commit #6950

  • ipa-kra-install manpage: document domain-level 1 commit #6922

  • ipa-kra-install: fix check_host_keys commit #6934

  • ipa-server-install with external CA: fix pkinit cert issuance commit #6921

  • ipa-client-install: remove extra space in pkinit_anchors definition commit #6916

  • vault: piped input for ipa vault-add fails commit #6907

  • upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881

  • tests: add non-reg for idrange-add commit #6404

  • Upgrade: add gidnumber to trusted domain entry commit #6827

  • ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827

  • idrange-add: properly handle empty –dom-name option commit #6404

  • ipa-ca-install man page: Add domain level 1 help commit #5831

  • dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813

  • man ipa-cacert-manage install needs clarification commit #6795

Fraser Tweedale (1)#

  • Support 8192-bit RSA keys in default cert profile commit #6319

Jan Cholasta (38)#

  • server certinstall: support PKINIT commit #6831

  • cacert manage: support PKINIT commit #6831

  • replica install: respect –pkinit-cert-file commit #6831

  • server install: fix KDC certificate validation in CA-less commit #6831, #6869

  • certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869

  • certs: do not export keys world-readable in install_key_from_p12 commit #6831

  • server install: fix KDC PKINIT configuration commit #6831

  • install: introduce generic Kerberos Augeas lens commit #6831

  • client install: fix client PKINIT configuration commit #6831

  • install: trust IPA CA for PKINIT commit #6831

  • certdb: use custom object for trust flags commit #6831

  • certdb, certs: make trust flags argument mandatory commit #6831

  • certdb: add named trust flag constants commit #6831

  • ipa-cacert-manage: add –external-ca-type commit #5799

  • renew agent: get rid of virtual profiles commit #5799

  • renew agent: always export CSR on IPA CA certificate renewal commit #5799

  • renew agent: allow reusing existing certs commit #5799

  • cainstance: use correct profile for lightweight CA certificates commit #5799

  • server upgrade: always fix certmonger tracking request commit #5799

  • renew agent: respect CA renewal master setting commit #5799

  • spec file: bump python-netaddr Requires commit #6894

  • spec file: bump krb5 Requires for certauth fixes commit #4905

  • configure: fix AC_CHECK_LIB usage commit #6846

  • cert: defer cert-find result post-processing commit #6808

  • renew agent, restart scripts: connect to LDAP after kinit commit #6757

  • renew agent: revert to host keytab authentication commit #6757

  • install: request service certs after host keytab is set up commit #6757

  • dsinstance, httpinstance: consolidate certificate request code commit #6757

  • httpinstance: avoid httpd restart during certificate request commit #6757

  • dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757

  • httpinstance: make sure NSS database is backed up commit #4639

  • spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828

  • spec file: bump krb5-devel BuildRequires for certauth commit #4905

  • cert: do not limit internal searches in cert-find commit #6716

  • replica prepare: fix wrong IPA CA nickname in replica file commit #6777

  • httpinstance: clean up /etc/httpd/alias on uninstall commit #4639

  • certs: do not implicitly create DS pin.txt commit #4639

  • tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773

Martin Babinsky (16)#

  • Travis CI: explicitly update pip before running the builds commit

  • Do not test anonymous PKINIT after install/upgrade commit #6830

  • Upgrade: configure local/full PKINIT depending on the master status commit #6830

  • Use local anchor when armoring password requests commit #6830

  • Stop requesting anonymous keytab and purge all references of it commit #6830

  • Use only anonymous PKINIT to fetch armor ccache commit #6830

  • API for retrieval of master’s PKINIT status and publishing it in LDAP commit #6830

  • Allow for configuration of all three PKINIT variants when deploying KDC commit #6830

  • separate function to set ipaConfigString values on service entry commit #6830

  • Revert “Store GSSAPI session key in /var/run/ipa” commit #6880

  • Remove duplicate functionality in upgrade commit #6799

  • Always check and create anonymous principal during KDC install commit #6799

  • Ensure KDC is propery configured after upgrade commit #6792

  • Split out anonymous PKINIT test to a separate method commit #6792

  • Remove unused variable from failed anonymous PKINIT handling commit #6792

  • Upgrade: configure PKINIT after adding anonymous principal commit #6792

Martin Basti (13)#

  • Become IPA 4.5.1 commit

  • 4.5.1 Translation update commit

  • 4.5.1 Contributors update commit

  • ipasetup: fix dependencies handling based on python version commit #6875

  • ipaclient: fix missing RPM ownership commit #6927

  • ca_status: add HTTP timeout 30 seconds commit #6766

  • http_request: add timeout option commit #6766

  • Use proper SELinux context with http.keytab commit #6924

  • Store GSSAPI session key in /var/run/ipa commit #6880

  • Fix PKCS11 helper commit #6692

  • Remove surplus ‘the’ in output of ipa-adtrust-install commit #6864

  • Set “KDC:Disable Last Success” by default commit #5313

  • Set zanata version to ipa-4-5 commit

Michal Reznik (2)#

  • test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959

  • test_caless: add pkinit option and test it commit #6854

Oliver Gutierrez (1)#

  • Added plugins directory to ipaclient subpackages commit #6927

Petr Vobornik (3)#

  • kerberos session: use CA cert with full cert chain for obtaining cookie commit #6876

  • restore: restart/reload gssproxy after restore commit #6902

  • automount install: fix checking of SSSD functionality on uninstall commit #6861

Pavel Vomacka (8)#

  • Turn on NSSOCSP check in mod_nss conf commit #6370

  • WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772

  • WebUI: Fix showing vault in selfservice view commit #6812

  • WebUI: suppress truncation warning in select widget commit #6618

  • WebUI: Add support for suppressing warnings commit #6618

  • WebUI: Add support for login for AD users commit #3242

  • WebUI: add method for disabling item in user dropdown menu commit #3242

  • WebUI: check principals in lowercase commit #3242

Gabe (1)#

  • Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches commit #6896

Sumit Bose (7)#

  • IPA-KDB: use relative path in ipa-certmap config snippet commit #6833

  • extdom: improve cert request commit #6826

  • extdom: do reverse search for domain separator commit

  • ipa-kdb: do not depend on certauth_plugin.h commit #4905

  • configure: fix –disable-server with certauth plugin commit #6816

  • IPA certauth plugin commit #4905

  • ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905

Simo Sorce (7)#

Stanislav Laznicka (33)#

  • cert-show: writable files does not mean dirs commit #6883

  • Fix wrong message on Dogtag instances stop commit #6766

  • Make CA/KRA fail when they don’t start commit #6766

  • Remove the cachedproperty class commit #6878

  • Refresh Dogtag RestClient.ca_host property commit #6878

  • Fix CA/server cert validation in FIPS commit #6897

  • compat plugin: Update link to slapi-nis project commit

  • compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821

  • Move the compat plugin setup at the end of install commit #6821

  • compat-manage: behave the same for all users commit #6821

  • Fix CAInstance.import_ra_cert for empty passwords commit #6878

  • Fix RA cert import during DL0 replication commit #6878

  • ext. CA: correctly write the cert chain commit #6872

  • server-install: No double Kerberos install commit #6757

  • Fix CA-less to CA-full upgrade commit #6853

  • replicainstall: better client install exception handling commit #6183

  • Add the force-join option to replica install commit #6183

  • server-install: remove broken no-pkinit check commit #6807

  • Add pki_pin only when needed commit #6839

  • Remove publish_ca_cert() method from NSSDatabase commit #6806

  • Get correct CA cert nickname in CA-less commit #6806

  • Remove redundant option check for cert files commit #6801

  • replica-prepare man: remove pkinit option refs commit #6801

  • Don’t allow setting pkinit-related options on DL0 commit #6801

  • Fix the order of cert-files check commit #6801

  • Generate PIN for PKI to help Dogtag in FIPS commit #6824

  • Backup CA cert from kerberos folder commit #6748

  • Allow renaming of the sudorule objects commit #2466

  • Allow renaming of the HBAC rule objects commit #6784

  • Reworked the renaming mechanism commit #2466, #6784

  • Bump samba version for FIPS and priv. separation commit #6671, #6697

  • Backup ipa-specific httpd unit-file commit #6748

  • Add debug log in case cookie retrieval went wrong commit #6774

Timo Aaltonen (1)#

  • configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit

Tomas Krizek (7)#

  • ca, kra install: validate DM password commit #6892

  • installutils: add DM password validator commit #6892

  • ca install: merge duplicated code for DM password commit #6892

  • upgrade: add missing suffix to http instance commit #6920

  • installer service: fix typo in service entry commit #6920

  • python2-ipalib: add missing python dependency commit #6920

  • kra install: update installation failure message commit #6923