Jump to: navigation, search


Release date Released 2017-06-18

The FreeIPA team would like to announce FreeIPA 4.5.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository.

Highlights in 4.5.2

  • 5860: depracate --no-sssd option

Option '--no-sssd' has been deprecated because SSSD is recommened to use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.


Known Issues

Bug fixes

FreeIPA 4.5.2 is a stabilization release for the features delivered as apart of 4.5.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #7020 Installation of KRA replica fails
  • #7015 allow to modify list of UPNs of a trusted forest
  • #7001 Do not send Max-Age in ipa_session cookie to avoid breaking older clients
  • #7000 Provide a simple command to issue KDC certificates on a IPA master
  • #6993 certauth: use canonical principal for lookups
  • #6982 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master
  • #6981 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable
  • #6977 Simple service uninstallers must be able to handle missing service files gracefully
  • #6972 Replica installation grants HTTP principal access in WebUI
  • #6966 Document that port 8080 needs to be open on IPA masters for cert-find
  • #6965 ipa-replica-manage del replica.name fails
  • #6963 ipa certmaprule change not reflected in krb5kdc workers
  • #6958 [tracker] SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring
  • #6948 services entries missing krbCanonicalName attribute.
  • #6937 Provide an API command to retrieve PKINIT status in the FreeIPA topology
  • #6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
  • #6935 ipa-replica-conncheck fails when there is no ssh executable on the master
  • #6885 ipa cert-show does not raise error if no file name specified
  • #6867 [ipa-replica-install] - KDC has no support for encryption type
  • #6800 Investigate how privilege separation feature will work after DL0->DL1 update
  • #6796 WSGI fails with recursion error in GSSAPI
  • #6749 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade
  • #6736 Add pkinit_indicator option to KDC configuration
  • #6572 server-del doesn't remove dns-server configuration from ldap
  • #5860 depracate --no-sssd option
  • #5788 user-add postcallback is not efficient when --noprivate flag is set
  • #5406 ipa-client-install should not use hardcoded admin principal

Detailed changelog since 4.5.1

Alexander Bokovoy (4)

  • trust-mod: allow modifying list of UPNs of a trusted forest commit #7015
  • ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736
  • Fix index definition for ipaAnchorUUID commit #6975
  • krb5: make sure KDC certificate is readable commit #6973

David Kupka (1)

  • kra: promote: Get ticket before calling custodia commit #7020

Felipe Volpone (2)

  • Changing cert-find to go through the proxy instead of using the port 8080 commit #6966
  • Changing cert-find to do not use only primary key to search in LDAP. commit #6948

Florence Blanc-Renaud (1)

  • ipa-replica-conncheck: handle ssh not installed commit #6935

Jan Cholasta (4)

  • server upgrade: do not enable PKINIT by default commit #7000
  • pkinit manage: introduce ipa-pkinit-manage commit #7000
  • server certinstall: update KDC master entry commit #7000
  • httpinstance: wait until the service entry is replicated commit #6867

Martin Babinsky (10)

  • Prepare advise plugin for smart card auth configuration commit #6982
  • Extend the advice printing code by some useful abstractions commit #6982
  • fix incorrect suffix handling in topology checks commit #6965
  • only stop/disable simple service if it is installed commit #6977
  • test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
  • Add `pkinit-status` command commit #6937
  • Add the list of PKINIT servers as a virtual attribute to global config commit #6937
  • Add an attribute reporting client PKINIT-capable servers commit #6937
  • Refactor the role/attribute member reporting code commit #6937
  • Allow for multivalued server attributes commit #6937

Martin Basti (4)

  • Only warn when specified server IP addresses don't match intf commit #2715, #4317
  • Add remote_plugins subdirectories to RPM commit #6927
  • custodia dep: require explictly python2 version commit #6962
  • 4.5 set back to git snapshot commit

Pavel Vomacka (4)

Sumit Bose (2)

  • ipa-kdb: use canonical principal in certauth plugin commit #6993
  • ipa-kdb: reload certificate mapping rules periodically commit #6963

Simo Sorce (3)

  • Revert setting sessionMaxAge for old clients commit #7001
  • Add code to be able to set default kinit lifetime commit #7001
  • Fix rare race condition with missing ccache file commit

Stanislav Laznicka (6)

Tibor Dudlák (3)

  • server.py: Removes dns-server configuration from ldap commit #6572
  • sssd.py: Deprecating no-sssd option. commit #5860
  • client.py: Replace hardcoded 'admin' with options.principal commit #5406

Tibor Dudlák (1)

  • user.py: replace user_mod with ldap.update_entry() commit #5788

Tomas Krizek (2)