The FreeIPA team would like to announce FreeIPA 4.5.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.
Highlights in 4.5.2#
5860: depracate –no-sssd option
Option ‘–no-sssd’ has been deprecated because SSSD is recommened to use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.5.2 is a stabilization release for the features delivered as apart of 4.5.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#7020 Installation of KRA replica fails
#7015 allow to modify list of UPNs of a trusted forest
#7001 Do not send Max-Age in ipa_session cookie to avoid breaking older clients
#7000 Provide a simple command to issue KDC certificates on a IPA master
#6993 certauth: use canonical principal for lookups
#6982 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master
#6981 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
#6977 Simple service uninstallers must be able to handle missing service files gracefully
#6972 Replica installation grants HTTP principal access in WebUI
#6966 Document that port 8080 needs to be open on IPA masters for cert-find
#6965 ipa-replica-manage del replica.name fails
#6963 ipa certmaprule change not reflected in krb5kdc workers
#6958 [tracker] SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring
#6948 services entries missing krbCanonicalName attribute.
#6937 Provide an API command to retrieve PKINIT status in the FreeIPA topology
#6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
#6935 ipa-replica-conncheck fails when there is no ssh executable on the master
#6885 ipa cert-show does not raise error if no file name specified
#6867 [ipa-replica-install] - KDC has no support for encryption type
#6800 Investigate how privilege separation feature will work after DL0->DL1 update
#6796 WSGI fails with recursion error in GSSAPI
#6749 “ipa: ERROR: an internal error has occurred” on executing command “ipa cert-request –add” after upgrade
#6736 Add pkinit_indicator option to KDC configuration
#6572 server-del doesn’t remove dns-server configuration from ldap
#5860 depracate –no-sssd option
#5788 user-add postcallback is not efficient when –noprivate flag is set
#5406 ipa-client-install should not use hardcoded admin principal
Detailed changelog since 4.5.1#
Alexander Bokovoy (4)#
David Kupka (1)#
Felipe Volpone (2)#
Florence Blanc-Renaud (1)#
Jan Cholasta (4)#
Martin Babinsky (10)#
Prepare advise plugin for smart card auth configuration commit #6982
Extend the advice printing code by some useful abstractions commit #6982
fix incorrect suffix handling in topology checks commit #6965
only stop/disable simple service if it is installed commit #6977
test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
Add the list of PKINIT servers as a virtual attribute to global config commit #6937
Add an attribute reporting client PKINIT-capable servers commit #6937
Refactor the role/attribute member reporting code commit #6937