Jump to: navigation, search

Releases/4.5.1

Release date Released 2017-05-23

The FreeIPA team would like to announce FreeIPA 4.5.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.

Highlights in 4.5.1

Enhancements

  • HBAC rule names can be renamed (#6784)

HBAC rules can now be renamed.

  • SUDO rules can be renamed (#2466)

The attribute "rdn_is_primary_key" of the LDAPObject class was renamed to "allow_rename" because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudo rules can now be renamed.

Known Issues

Bug fixes

FreeIPA 4.5.1 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 90 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.


Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #6950 ipa-server-install --uninstall fails with ERROR 'tuple' object has no attribute 'append'
  • #6934 ipa-kra-install timeouts on replica
  • #6925 KRA installation fails on server that was originally installed as CA-less
  • #6924 Fix SELinux contex of http.keytab during upgrade
  • #6923 Update warning message when KRA installation fails
  • #6922 Update man page of ipa-kra-install
  • #6921 ipa-server-install with external CA fails in issue_selfsigned_pkinit_certs
  • #6920 Upgrade from ipa-4.1 fails when enabling KDC proxy
  • #6916 ipa-client-install: extra space in pkinit_anchors definition
  • #6911 error adding authenticator indicators to host
  • #6907 ipa vault-add raises TypeError
  • #6904 pki_client_database_password is shown in ipaserver-install.log
  • #6902 ipa restore fails to restore IPA user
  • #6900 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
  • #6899 ipa vault: archival and retrival is broken in IPA 4.5.0
  • #6897 ipa-server-install with external-ca fails in FIPS mode
  • #6896 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
  • #6895 ipa-kra-install fails when primary KRA server has been decommissioned
  • #6894 DNS forwarder address added during IPA installation shouldn't add IP-Address '0.0.0.0'
  • #6892 ipa-[ca|kra]-install with invalid DM password break replica
  • #6883 ipa cert-show raises stack traces when --certificate-out=/tmp
  • #6881 ipa.ipaserver.install.plugins.adtrust.update_tdo_gidnumber: ERROR Default SMB Group not found
  • #6878 Replica install fails during migration from older IPA master
  • #6876 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA
  • #6875 Correct wheel package dependencies
  • #6872 ipa server install fails with --external-ca option
  • #6869 CA-less pkinit not installable with --pkinit-cert-file option
  • #6866 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
  • #6864 minor spelling mistake #2
  • #6862 WebUI cert auth fails after ipa-adtrust-install
  • #6861 uninstall ipa client automount failed with RuntimeWarning
  • #6860 Add the name of URL parameter which will be check for username during cert login
  • #6859 Console output message while adding trust should be mapped with texts changed in Samba.
  • #6854 CA less setup is broken
  • #6853 Conversion of CA-less server to CA fails on CA instance spawn
  • #6850 Use /usr/bin/env python for ipaclient via pypi / macOS fixes for ipaclient
  • #6846 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA
  • #6839 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password
  • #6838 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host
  • #6833 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
  • #6831 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors
  • #6830 Configure local PKINIT on DL0 or when '--no-pkinit' option is used
  • #6828 error: implicit declaration of function ‘sss_nss_getlistbycert’
  • #6827 ipasam: gidNumber attribute is not created in the trusted domain entry
  • #6826 IdM Server Smart Cards: extdom: improve cert request
  • #6825 Allow erasing ipaDomainResolutionOrder attribute
  • #6824 Add workaround for pki_pin for FIPS
  • #6823 Bump packages versions for certificate login
  • #6821 Deadlock between topology and schema-compat plugins
  • #6819 Login into WebUI using certificate does not work - mod_wsgi returns error
  • #6817 4.5 replica install fails against <4.5 master due to rejected PKINIT cert request
  • #6816 BUILD_IPA_CERTAUTH_PLUGIN broke configure --disable-server
  • #6813 Renewal of IPA RA fails on replica
  • #6812 WebUI: in self-service Vault menu item is shown even if KRA is not installed
  • #6808 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page
  • #6807 Server CA-less impossible option check
  • #6806 CA-less installation fails on publishing CA certificate
  • #6803 Master tree fails to install
  • #6801 Remove pkinit-related options from server/replica-install on DL0
  • #6799 ipa-replica-install with DL0 fails to get annonymous keytab
  • #6798 Changes to ipa-run-tests broke helper test tools
  • #6797 As a ID user I cannot call a command with --rights option
  • #6795 man ipa-cacert-manage install needs clarification
  • #6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
  • #6787 Make KRA cert cache concurrency safe
  • #6786 make sure that runtime hostname result is consistent with the configuration in AD trust
  • #6784 [RFE] HBAC rule names command rename
  • #6777 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5
  • #6775 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands
  • #6773 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated
  • #6772 WebUI: Adding certificate mapping data using certificate fails
  • #6771 Set GssProxy options to enable caching of ldap tickets
  • #6768 debian: daemons/dnssec/*.service.in hardcode user/groupnames
  • #6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica
  • #6748 CLI doesn't work after ipa-restore
  • #6743 [copr] Replica install failing
  • #6716 cert-find does not find all certificates without sizelimit=0
  • #6715 Uninstall fails with No such file or directory: '/var/run/ipa/services.list'
  • #6697 [Tracker] FIPS mode for trust to AD feature
  • #6688 [tracker] ipa-replica-install fails with 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca
  • #6671 Privilege separation in IPA framework broke trust-add
  • #6641 RPC client should use HTTP persistent connection
  • #6618 "Truncated search results" pop-up appears in user details in WebUI
  • #6549 replica install against IPA v3 master fails with ACIError
  • #6494 Enumerate all available request type options in ipa cert-request help
  • #6404 Need to have validation for idrange names
  • #6370 [RFE] Web UI must check OCSP and CRL during smartcard login
  • #6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits
  • #6183 ipa-replica-install may suggest --force-join option which does not exist
  • #5959 The framework needs to run in a spearate process
  • #5952 Add git commit template
  • #5799 Errors from AD when trying to sign ipa.csr, conflicting template on
  • #5734 cert-request: PKCS #10 only is supported but `--request-type' option suggests otherwise
  • #5313 [RFE] disable last successful authentication by default in ipa.
  • #4639 ipa-server-install does not clean /etc/httpd/alias
  • #3242 [RFE] IPA WebUI login for AD Trusted User fails
  • #2466 [RFE] Support SUDO command rename

Detailed changelog since 4.5.0

Alexander Bokovoy (5)

  • trust: always use oddjobd helper for fetching trust information commit
  • ipaserver/dcerpc: unify error processing commit #6859
  • adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786
  • server: make sure we test for sss_nss_getlistbycert commit #6828
  • ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797

Abhijeet Kasurde (2)

Christian Heimes (21)

  • Correct PyPI package dependencies commit #6875
  • Vault: Explicitly default to 3DES CBC commit #6899
  • Use entry_points for ipa CLI commit #6653, #6850
  • Skip test_session_storage in ipaclient unittest mode commit
  • Add make devcheck for developers commit #6604
  • Python 3: Fix session storage commit
  • Use Custodia 0.3.1 features commit
  • Simplify KRA transport cert cache commit #6787
  • Constrain wheel package versions commit #6468
  • Move remaining util functions to tasks module commit #6798
  • Ship ipatests.pytest_plugins.integration commit #6798
  • Move function run_repeatedly to tasks module commit #6798
  • Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798
  • Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798
  • Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798
  • Move config module to ipatests.pytest_plugins.integration.config commit #6798
  • Move helper code for integration plugin commit #6798
  • Increase Apache HTTPD's default keep alive timeout commit
  • Add debug logging for keep-alive commit
  • Use connection keep-alive commit #6641
  • Add options to run only ipaclient unittests commit #6517

David Kupka (10)

  • ipapython.ipautil.run: Add option to set umask before executing command commit #6831
  • otptoken-add-yubikey: When --digits not provided use default value commit #6900
  • Bump version of ipa.conf file commit #6860
  • Create system users for FreeIPA services during package installation commit #6743
  • WebUI: cert login: Configure name of parameter used to pass username commit #6860
  • httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available commit #6803
  • spec file: Bump requires to make Certificate Login in WebUI work commit #6823
  • rpcserver.login_x509: Actually return reply from __call__ method commit #6819
  • Create temporaty directories at the begining of uninstall commit #6715
  • ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738

felipe (1)

  • Fixing replica install: fix ldap connection in domlvl 0 commit #6549

Felipe Volpone (1)

  • Fixing adding authenticator indicators to host commit #6911

Fabiano Fidêncio (1)

  • Allow erasing ipaDomainResolutionOrder attribute commit #6825

Florence Blanc-Renaud (16)

  • ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925
  • ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895
  • ipa-server-install: fix uninstall commit #6950
  • ipa-kra-install manpage: document domain-level 1 commit #6922
  • ipa-kra-install: fix check_host_keys commit #6934
  • ipa-server-install with external CA: fix pkinit cert issuance commit #6921
  • ipa-client-install: remove extra space in pkinit_anchors definition commit #6916
  • vault: piped input for ipa vault-add fails commit #6907
  • upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881
  • tests: add non-reg for idrange-add commit #6404
  • Upgrade: add gidnumber to trusted domain entry commit #6827
  • ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827
  • idrange-add: properly handle empty --dom-name option commit #6404
  • ipa-ca-install man page: Add domain level 1 help commit #5831
  • dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813
  • man ipa-cacert-manage install needs clarification commit #6795

Fraser Tweedale (1)

  • Support 8192-bit RSA keys in default cert profile commit #6319

Jan Cholasta (38)

  • server certinstall: support PKINIT commit #6831
  • cacert manage: support PKINIT commit #6831
  • replica install: respect --pkinit-cert-file commit #6831
  • server install: fix KDC certificate validation in CA-less commit #6831, #6869
  • certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869
  • certs: do not export keys world-readable in install_key_from_p12 commit #6831
  • server install: fix KDC PKINIT configuration commit #6831
  • install: introduce generic Kerberos Augeas lens commit #6831
  • client install: fix client PKINIT configuration commit #6831
  • install: trust IPA CA for PKINIT commit #6831
  • certdb: use custom object for trust flags commit #6831
  • certdb, certs: make trust flags argument mandatory commit #6831
  • certdb: add named trust flag constants commit #6831
  • ipa-cacert-manage: add --external-ca-type commit #5799
  • renew agent: get rid of virtual profiles commit #5799
  • renew agent: always export CSR on IPA CA certificate renewal commit #5799
  • renew agent: allow reusing existing certs commit #5799
  • cainstance: use correct profile for lightweight CA certificates commit #5799
  • server upgrade: always fix certmonger tracking request commit #5799
  • renew agent: respect CA renewal master setting commit #5799
  • spec file: bump python-netaddr Requires commit #6894
  • spec file: bump krb5 Requires for certauth fixes commit #4905
  • configure: fix AC_CHECK_LIB usage commit #6846
  • cert: defer cert-find result post-processing commit #6808
  • renew agent, restart scripts: connect to LDAP after kinit commit #6757
  • renew agent: revert to host keytab authentication commit #6757
  • install: request service certs after host keytab is set up commit #6757
  • dsinstance, httpinstance: consolidate certificate request code commit #6757
  • httpinstance: avoid httpd restart during certificate request commit #6757
  • dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757
  • httpinstance: make sure NSS database is backed up commit #4639
  • spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828
  • spec file: bump krb5-devel BuildRequires for certauth commit #4905
  • cert: do not limit internal searches in cert-find commit #6716
  • replica prepare: fix wrong IPA CA nickname in replica file commit #6777
  • httpinstance: clean up /etc/httpd/alias on uninstall commit #4639
  • certs: do not implicitly create DS pin.txt commit #4639
  • tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773

Martin Babinsky (16)

  • Travis CI: explicitly update pip before running the builds commit
  • Do not test anonymous PKINIT after install/upgrade commit #6830
  • Upgrade: configure local/full PKINIT depending on the master status commit #6830
  • Use local anchor when armoring password requests commit #6830
  • Stop requesting anonymous keytab and purge all references of it commit #6830
  • Use only anonymous PKINIT to fetch armor ccache commit #6830
  • API for retrieval of master's PKINIT status and publishing it in LDAP commit #6830
  • Allow for configuration of all three PKINIT variants when deploying KDC commit #6830
  • separate function to set ipaConfigString values on service entry commit #6830
  • Revert "Store GSSAPI session key in /var/run/ipa" commit #6880
  • Remove duplicate functionality in upgrade commit #6799
  • Always check and create anonymous principal during KDC install commit #6799
  • Ensure KDC is propery configured after upgrade commit #6792
  • Split out anonymous PKINIT test to a separate method commit #6792
  • Remove unused variable from failed anonymous PKINIT handling commit #6792
  • Upgrade: configure PKINIT after adding anonymous principal commit #6792

Martin Basti (13)

Michal Reznik (2)

  • test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959
  • test_caless: add pkinit option and test it commit #6854

Oliver Gutierrez (1)

  • Added plugins directory to ipaclient subpackages commit #6927

Petr Vobornik (3)

  • kerberos session: use CA cert with full cert chain for obtaining cookie commit #6876
  • restore: restart/reload gssproxy after restore commit #6902
  • automount install: fix checking of SSSD functionality on uninstall commit #6861

Pavel Vomacka (8)

  • Turn on NSSOCSP check in mod_nss conf commit #6370
  • WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772
  • WebUI: Fix showing vault in selfservice view commit #6812
  • WebUI: suppress truncation warning in select widget commit #6618
  • WebUI: Add support for suppressing warnings commit #6618
  • WebUI: Add support for login for AD users commit #3242
  • WebUI: add method for disabling item in user dropdown menu commit #3242
  • WebUI: check principals in lowercase commit #3242

Gabe (1)

  • Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches commit #6896

Sumit Bose (7)

  • IPA-KDB: use relative path in ipa-certmap config snippet commit #6833
  • extdom: improve cert request commit #6826
  • extdom: do reverse search for domain separator commit
  • ipa-kdb: do not depend on certauth_plugin.h commit #4905
  • configure: fix --disable-server with certauth plugin commit #6816
  • IPA certauth plugin commit #4905
  • ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905

Simo Sorce (7)

Stanislav Laznicka (33)

  • cert-show: writable files does not mean dirs commit #6883
  • Fix wrong message on Dogtag instances stop commit #6766
  • Make CA/KRA fail when they don't start commit #6766
  • Remove the cachedproperty class commit #6878
  • Refresh Dogtag RestClient.ca_host property commit #6878
  • Fix CA/server cert validation in FIPS commit #6897
  • compat plugin: Update link to slapi-nis project commit
  • compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821
  • Move the compat plugin setup at the end of install commit #6821
  • compat-manage: behave the same for all users commit #6821
  • Fix CAInstance.import_ra_cert for empty passwords commit #6878
  • Fix RA cert import during DL0 replication commit #6878
  • ext. CA: correctly write the cert chain commit #6872
  • server-install: No double Kerberos install commit #6757
  • Fix CA-less to CA-full upgrade commit #6853
  • replicainstall: better client install exception handling commit #6183
  • Add the force-join option to replica install commit #6183
  • server-install: remove broken no-pkinit check commit #6807
  • Add pki_pin only when needed commit #6839
  • Remove publish_ca_cert() method from NSSDatabase commit #6806
  • Get correct CA cert nickname in CA-less commit #6806
  • Remove redundant option check for cert files commit #6801
  • replica-prepare man: remove pkinit option refs commit #6801
  • Don't allow setting pkinit-related options on DL0 commit #6801
  • Fix the order of cert-files check commit #6801
  • Generate PIN for PKI to help Dogtag in FIPS commit #6824
  • Backup CA cert from kerberos folder commit #6748
  • Allow renaming of the sudorule objects commit #2466
  • Allow renaming of the HBAC rule objects commit #6784
  • Reworked the renaming mechanism commit #2466, #6784
  • Bump samba version for FIPS and priv. separation commit #6671, #6697
  • Backup ipa-specific httpd unit-file commit #6748
  • Add debug log in case cookie retrieval went wrong commit #6774

Timo Aaltonen (1)

  • configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit

Tomas Krizek (7)

  • ca, kra install: validate DM password commit #6892
  • installutils: add DM password validator commit #6892
  • ca install: merge duplicated code for DM password commit #6892
  • upgrade: add missing suffix to http instance commit #6920
  • installer service: fix typo in service entry commit #6920
  • python2-ipalib: add missing python dependency commit #6920
  • kra install: update installation failure message commit #6923