The FreeIPA team would like to announce FreeIPA 4.5.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.
Highlights in 4.5.1#
Enhancements#
HBAC rule names can be renamed (#6784)
HBAC rules can now be renamed.
SUDO rules can be renamed (#2466)
The attribute “rdn_is_primary_key” of the LDAPObject class was renamed to “allow_rename” because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudo rules can now be renamed.
Known Issues#
Bug fixes#
FreeIPA 4.5.1 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 90 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#6950 ipa-server-install –uninstall fails with ERROR ‘tuple’ object has no attribute ‘append’
#6934 ipa-kra-install timeouts on replica
#6925 KRA installation fails on server that was originally installed as CA-less
#6924 Fix SELinux contex of http.keytab during upgrade
#6923 Update warning message when KRA installation fails
#6922 Update man page of ipa-kra-install
#6921 ipa-server-install with external CA fails in issue_selfsigned_pkinit_certs
#6920 Upgrade from ipa-4.1 fails when enabling KDC proxy
#6916 ipa-client-install: extra space in pkinit_anchors definition
#6911 error adding authenticator indicators to host
#6907 ipa vault-add raises TypeError
#6904 pki_client_database_password is shown in ipaserver-install.log
#6902 ipa restore fails to restore IPA user
#6900 otptoken-add-yubikey KeyError: ‘ipatokenotpdigits’
#6899 ipa vault: archival and retrival is broken in IPA 4.5.0
#6897 ipa-server-install with external-ca fails in FIPS mode
#6896 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
#6895 ipa-kra-install fails when primary KRA server has been decommissioned
#6894 DNS forwarder address added during IPA installation shouldn’t add IP-Address ‘0.0.0.0’
#6892 ipa-[ca|kra]-install with invalid DM password break replica
#6883 ipa cert-show raises stack traces when –certificate-out=/tmp
#6881 ipa.ipaserver.install.plugins.adtrust.update_tdo_gidnumber: ERROR Default SMB Group not found
#6878 Replica install fails during migration from older IPA master
#6876 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA
#6875 Correct wheel package dependencies
#6872 ipa server install fails with –external-ca option
#6869 CA-less pkinit not installable with –pkinit-cert-file option
#6866 ipa trust-fetch-domains: ValidationError: invalid ‘Credentials’: Missing credentials for cross-forest communication
#6864 minor spelling mistake #2
#6862 WebUI cert auth fails after ipa-adtrust-install
#6861 uninstall ipa client automount failed with RuntimeWarning
#6860 Add the name of URL parameter which will be check for username during cert login
#6859 Console output message while adding trust should be mapped with texts changed in Samba.
#6854 CA less setup is broken
#6853 Conversion of CA-less server to CA fails on CA instance spawn
#6850 Use /usr/bin/env python for ipaclient via pypi / macOS fixes for ipaclient
#6846 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA
#6839 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password
#6838 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host
#6833 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
#6831 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors
#6830 Configure local PKINIT on DL0 or when ‘–no-pkinit’ option is used
#6828 error: implicit declaration of function ‘sss_nss_getlistbycert’
#6827 ipasam: gidNumber attribute is not created in the trusted domain entry
#6826 IdM Server Smart Cards: extdom: improve cert request
#6825 Allow erasing ipaDomainResolutionOrder attribute
#6824 Add workaround for pki_pin for FIPS
#6823 Bump packages versions for certificate login
#6821 Deadlock between topology and schema-compat plugins
#6819 Login into WebUI using certificate does not work - mod_wsgi returns error
#6817 4.5 replica install fails against <4.5 master due to rejected PKINIT cert request
#6816 BUILD_IPA_CERTAUTH_PLUGIN broke configure –disable-server
#6813 Renewal of IPA RA fails on replica
#6812 WebUI: in self-service Vault menu item is shown even if KRA is not installed
#6808 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page
#6807 Server CA-less impossible option check
#6806 CA-less installation fails on publishing CA certificate
#6803 Master tree fails to install
#6801 Remove pkinit-related options from server/replica-install on DL0
#6799 ipa-replica-install with DL0 fails to get annonymous keytab
#6798 Changes to ipa-run-tests broke helper test tools
#6797 As a ID user I cannot call a command with –rights option
#6795 man ipa-cacert-manage install needs clarification
#6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
#6787 Make KRA cert cache concurrency safe
#6786 make sure that runtime hostname result is consistent with the configuration in AD trust
#6784 [RFE] HBAC rule names command rename
#6777 ipa-replica-install can’t install replica file produced by ipa-replica-prepare on 4.5
#6775 [ipalib/rpc.py] - “maximum recursion depth exceeded” with ipa vault commands
#6773 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated
#6772 WebUI: Adding certificate mapping data using certificate fails
#6771 Set GssProxy options to enable caching of ldap tickets
#6768 debian: daemons/dnssec/*.service.in hardcode user/groupnames
#6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica
#6748 CLI doesn’t work after ipa-restore
#6743 [copr] Replica install failing
#6716 cert-find does not find all certificates without sizelimit=0
#6715 Uninstall fails with No such file or directory: ‘/var/run/ipa/services.list’
#6697 [Tracker] FIPS mode for trust to AD feature
#6688 [tracker] ipa-replica-install fails with 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca
#6671 Privilege separation in IPA framework broke trust-add
#6641 RPC client should use HTTP persistent connection
#6618 “Truncated search results” pop-up appears in user details in WebUI
#6549 replica install against IPA v3 master fails with ACIError
#6494 Enumerate all available request type options in ipa cert-request help
#6404 Need to have validation for idrange names
#6370 [RFE] Web UI must check OCSP and CRL during smartcard login
#6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits
#6183 ipa-replica-install may suggest –force-join option which does not exist
#5959 The framework needs to run in a spearate process
#5952 Add git commit template
#5799 Errors from AD when trying to sign ipa.csr, conflicting template on
#5734 cert-request: PKCS #10 only is supported but `–request-type’ option suggests otherwise
#5313 [RFE] disable last successful authentication by default in ipa.
#4639 ipa-server-install does not clean /etc/httpd/alias
#3242 [RFE] IPA WebUI login for AD Trusted User fails
#2466 [RFE] Support SUDO command rename
Detailed changelog since 4.5.0#
Alexander Bokovoy (5)#
trust: always use oddjobd helper for fetching trust information commit
adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786
server: make sure we test for sss_nss_getlistbycert commit #6828
ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797
Abhijeet Kasurde (2)#
Christian Heimes (21)#
Skip test_session_storage in ipaclient unittest mode commit
Python 3: Fix session storage commit
Use Custodia 0.3.1 features commit
Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798
Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798
Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798
Move config module to ipatests.pytest_plugins.integration.config commit #6798
Increase Apache HTTPD’s default keep alive timeout commit
Add debug logging for keep-alive commit
David Kupka (10)#
ipapython.ipautil.run: Add option to set umask before executing command commit #6831
otptoken-add-yubikey: When –digits not provided use default value commit #6900
Create system users for FreeIPA services during package installation commit #6743
WebUI: cert login: Configure name of parameter used to pass username commit #6860
httpinstance.disable_system_trust: Don’t fail if module ‘Root Certs’ is not available commit #6803
spec file: Bump requires to make Certificate Login in WebUI work commit #6823
rpcserver.login_x509: Actually return reply from __call__ method commit #6819
Create temporaty directories at the begining of uninstall commit #6715
ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738
felipe (1)#
Felipe Volpone (1)#
Fabiano Fidêncio (1)#
Florence Blanc-Renaud (16)#
ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925
ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895
ipa-kra-install manpage: document domain-level 1 commit #6922
ipa-server-install with external CA: fix pkinit cert issuance commit #6921
ipa-client-install: remove extra space in pkinit_anchors definition commit #6916
upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881
ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827
idrange-add: properly handle empty –dom-name option commit #6404
ipa-ca-install man page: Add domain level 1 help commit #5831
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813
man ipa-cacert-manage install needs clarification commit #6795
Fraser Tweedale (1)#
Jan Cholasta (38)#
server install: fix KDC certificate validation in CA-less commit #6831, #6869
certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869
certs: do not export keys world-readable in install_key_from_p12 commit #6831
install: introduce generic Kerberos Augeas lens commit #6831
client install: fix client PKINIT configuration commit #6831
certdb, certs: make trust flags argument mandatory commit #6831
renew agent: always export CSR on IPA CA certificate renewal commit #5799
cainstance: use correct profile for lightweight CA certificates commit #5799
server upgrade: always fix certmonger tracking request commit #5799
spec file: bump krb5 Requires for certauth fixes commit #4905
renew agent, restart scripts: connect to LDAP after kinit commit #6757
renew agent: revert to host keytab authentication commit #6757
install: request service certs after host keytab is set up commit #6757
dsinstance, httpinstance: consolidate certificate request code commit #6757
httpinstance: avoid httpd restart during certificate request commit #6757
dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757
httpinstance: make sure NSS database is backed up commit #4639
spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828
spec file: bump krb5-devel BuildRequires for certauth commit #4905
cert: do not limit internal searches in cert-find commit #6716
replica prepare: fix wrong IPA CA nickname in replica file commit #6777
httpinstance: clean up /etc/httpd/alias on uninstall commit #4639
tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773
Martin Babinsky (16)#
Travis CI: explicitly update pip before running the builds commit
Do not test anonymous PKINIT after install/upgrade commit #6830
Upgrade: configure local/full PKINIT depending on the master status commit #6830
Use local anchor when armoring password requests commit #6830
Stop requesting anonymous keytab and purge all references of it commit #6830
Use only anonymous PKINIT to fetch armor ccache commit #6830
API for retrieval of master’s PKINIT status and publishing it in LDAP commit #6830
Allow for configuration of all three PKINIT variants when deploying KDC commit #6830
separate function to set ipaConfigString values on service entry commit #6830
Revert “Store GSSAPI session key in /var/run/ipa” commit #6880
Always check and create anonymous principal during KDC install commit #6799
Split out anonymous PKINIT test to a separate method commit #6792
Remove unused variable from failed anonymous PKINIT handling commit #6792
Upgrade: configure PKINIT after adding anonymous principal commit #6792
Martin Basti (13)#
Michal Reznik (2)#
Oliver Gutierrez (1)#
Petr Vobornik (3)#
Pavel Vomacka (8)#
Gabe (1)#
Sumit Bose (7)#
Simo Sorce (7)#
Stanislav Laznicka (33)#
compat plugin: Update link to slapi-nis project commit
compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821
Move the compat plugin setup at the end of install commit #6821
Fix CAInstance.import_ra_cert for empty passwords commit #6878
replicainstall: better client install exception handling commit #6183
Remove publish_ca_cert() method from NSSDatabase commit #6806
Don’t allow setting pkinit-related options on DL0 commit #6801
Bump samba version for FIPS and priv. separation commit #6671, #6697
Add debug log in case cookie retrieval went wrong commit #6774
Timo Aaltonen (1)#
configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit