Jump to: navigation, search


Release date Released 2017-10-18

The FreeIPA team would like to announce FreeIPA 4.5.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and 26 will be available in the official COPR repository.

Highlights in 4.5.4


Known Issues

Bug fixes

FreeIPA 4.5.4 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 30 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #7179 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful.
  • #7175 [Backport 7143 to ipa-4-5] "unknown command 'undefined'" error when changing user's password via the web UI
  • #7173 Switch from externally-signed to self-signed CA fails
  • #7172 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC
  • #7146 ipa_otptoken_import.py fails to parse the correct suite defined under the AlrgorithmParameters
  • #7144 pkinit-status command fails after an upgrade from a pre-4.5 IPA
  • #7141 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
  • #7127 sssd.conf not updated after promoting client to promotion
  • #7126 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to doesn't have whomai plugin enabled and thus startup of Web UI fails
  • #7125 ipa-server-upgrade failes with "This entry already exists"
  • #7123 External CA renewal fails when IPA CA subject DN does not match "CN=Certificate Authority, {subject-base}"
  • #7120 Unable to set ca renewal master on replica
  • #7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
  • #7112 user-show command fails when sizelimit is configured to number <= number of entity which is user member of
  • #7108 ipa-backup broken because of cyclic import
  • #7106 TypeError in renew_ca_cert prevents from swiching back to self-signed CA
  • #7086 [ipatests] - add caless to cafull tests
  • #7083 failed ipa-server-upgrade , time out from dogtag services , custodia errors
  • #7074 IPA shouldn't allow objectclass if not all in lower case
  • #7066 WebUI: All columns of user in group table are clickable
  • #7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
  • #7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com
  • #6999 ipa command throws backtrace instead of showing help with wrong syntax
  • #6979 Suggest user to install libyubikey package instead of traceback
  • #6952 Suggest CA installation command in KRA installation warning
  • #6622 [tests] ipatests.util.unlock_principal_password does not respect configured ldap_uri
  • #6605 make lint + make modifies PO files in place
  • #6592 [tracker] SELinux policy tracker for 4.5
  • #6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based"
  • #6447 [WebUI] Remove offline version of WebUI
  • #6261 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system'
  • #6176 Updating of dns system records rapidly slowdown uninstallation

Detailed changelog since 4.5.3

Alexander Bokovoy (2)

  • Make sure upgrade also checks for IPv6 stack commit #7083
  • OTP import: support hash names with HMAC- prefix commit #7146

Abhijeet Kasurde (1)

Alexander Koksharov (1)

Aleksei Slaikovskii (2)

  • ipaclient.plugins.dns: Cast DNS name to unicode. commit #7185
  • Less confusing message for PKINIT configuration during install commit #7179

Christian Heimes (1)

  • Block PyOpenSSL to prevent SELinux execmem in wsgi commit #5442

David Kreitschmann (2)

  • Disable pylint in get_help function because of type confusion. commit
  • Store help in Schema before writing to disk commit

David Kupka (11)

  • tests: Add LDAP URI to ldappasswd explicitly commit #6622
  • tests: certmap: Add test for user-{add,remove}-certmap commit #7105
  • tests: tracker: Add CertmapdataMixin tracker commit #7105
  • tests: certmap: Add test for certmapconfig-{mod,show} commit #7105
  • tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105
  • tests: certmap: Test permissions for certmap commit #7105
  • tests: certmap: Add basic tests for certmaprule commands commit #7105
  • tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105
  • tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105
  • tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105
  • tests: tracker: Split Tracker into one-purpose Trackers commit #7105

Felipe Volpone (4)

  • Changing idoverrideuser-* to treat objectClass case insensitively commit #7074
  • Fixing how sssd.conf is updated when promoting a client to replica commit #7127
  • Removing part of circular dependency of ipalib in ipaplaform commit #7108
  • Changing how commands handles error when it can't connect to IPA server commit #6261

Florence Blanc-Renaud (5)

  • ipa-cacert-manage renew: switch from ext-signed CA to self-signed commit #7173
  • Backport 4-5: Fix ipa-server-upgrade with server cert tracking commit #7141
  • Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists commit #7125
  • Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) commit #7106
  • Fix ipa config-mod --ca-renewal-master commit #7120

Fraser Tweedale (2)

  • Fix external renewal for CA with non-default subject DN commit #7123
  • Restore old version of caIPAserviceCert for upgrade only commit #7097

Martin Basti (1)

Michal Reznik (3)

  • test_caless: add replica ca-less to ca-full test (master caless) commit #7086
  • test_caless: add server_replica ca-less to ca-full test commit #7086
  • tests: fix external_ca test suite failing due to missing SKI commit #7099

Nathaniel McCallum (1)

  • ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace commit #7035

Petr Čech (1)

Petr Vobornik (2)

Pavel Vomacka (9)

  • WebUI: Fix calling undefined method during reset passwords commit #7175
  • WebUI: remove unused parameter from get_whoami_command commit #7175
  • Adds whoami DS plugin in case that plugin is missing commit #7126
  • WebUI: remove creating js/libs symlink from makefile commit #6447
  • WebUI: Remove plugins symlink as it is unused commit #6447
  • Remove all old JSON files commit #6447
  • Revert "Web UI: Remove offline version of Web UI" commit
  • WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582
  • WebUI: fix incorrectly shown links in association tables commit #7066

Rob Crittenden (1)

  • Collect group membership without a size limit commit #7112

Sumit Bose (1)

  • ipa-kdb: reinit trusted domain data for enterprise principals commit #7172

Stanislav Laznicka (4)

  • travis: make tests fail if pep8 does not pass commit
  • Use correct container for ipa-4-5 testing commit
  • pkinit: don't fail when no pkinit servers found commit #7144
  • travis: temporary workaround for Travis CI commit

Thierry Bordaz (1)

  • NULL LDAP context in call to ldap_search_ext_s during search commit #7017

Tibor Dudlák (1)

  • otptoken_yubikey.py: Removed traceback when package missing. commit #6979

Tomas Krizek (11)

  • Become IPA 4.5.4 commit
  • Update contributors commit
  • Update translations commit
  • prci: use f26 template for ipa-4-5 commit
  • ipatests: collect log after ipa-ca-install commit #7060
  • dnssec: fix localhsm.py utility script commit #7116
  • prci: rename template to ci-ipa-4-5-f25 commit
  • prci: add caless tests commit
  • build: checkout *.po files at the end of makerpms.sh commit #6605
  • freeipa-pr-ci: enable pull-request CI commit
  • 4.5 set back to git snapshot commit