The FreeIPA team would like to announce FreeIPA 4.6.0 release!
It can be downloaded from https://releases.pagure.org/freeipa/. Builds for Fedora 26 and 27 are available in the official COPR repository https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .
Highlights in 4.6.0#
Enhancements#
Python 3 is now supported.
Known Issues#
WebUI may not work in some configurations [#7126, #7127]
Attempting to uninstall when IPA isn’t installed prints confusing strings [#7063]
Bug fixes#
Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#7123 External CA renewal fails when IPA CA subject DN does not match “CN=Certificate Authority, {subject-base}”
#7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
#7108 ipa-backup broken because of cyclic import
#7086 [ipatests] - add caless to cafull tests
#7066 WebUI: All columns of user in group table are clickable
#7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
#7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com
#6605 make lint + make modifies PO files in place
#6582 Web UI: Change “Host Based” and “Role Based” to “Host-Based” and “Role-Based”
#6447 [WebUI] Remove offline version of WebUI
#6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’
#6176 Updating of dns system records rapidly slowdown uninstallation
#7121 ipa otptoken-add-yubikey fails with python3
#7118 Fix CA-less installation due to incorrect with statement
#7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0
#7100 test_caless: add SAN dNSName extensions for wildcard tests
#7088 Use X509v3 Basic Constraints “CA:TRUE” instead of “CA:FALSE” IPA CA CSR
#7076 Adjust to CURL whichs started to use OpenSSL - ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
#7053 Replica install fails to configure IPA-specific temporary files/directories
#7052 WebUI: search facet spec actions contains ‘undefined’ item
#7051 ipapython/graph.py complexity optimization
#7050 Type error when running tests for whoami command.
#7046 missing default basedn causes failure during initialization of multi host tests
#7030 tests: CA-less test suite broken due to missing subject key identifier extension
#7011 –force-join option is not mentioned in ipa-replica-install man page
#7010 ipa-backup fails silently
#7002 adtrustinstance: broken ID range assessment
#6987 ca-add: invalid X.509 DN fails ungracefully
#6986 make pylint is not working on F26
#6980 Pagination Size under Customization in IPA WebUI accepts negative values
#6976 External CA: check that IPA CA certificate contains Subject Key Identifier
#6974 WebUI: Fix unit webUI tests
#6971 ipatests: collect systemd journal
#6956 Backup and restore tests faliling
#6946 ipa-replica-manage del (dl 0) doesn’t remove server from defaultServerList
#6945 Bring back error messages from certificate validation
#6943 server-del doesn’t remove server from defaultServerList in cn=default,ou=profile,$BASE
#6940 installer should indicate that it is waiting for keys
#6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
#6928 ipa-managed-entries incorrectly states server not installed
#6865 minor spelling mistake in ipa-adtrust-install.1
#6863 minor spelling mistake
#6852 [RFE] Create client enrollment role
#6849 Priority field missing in required field incicator - *
#6845 ipa-otpd.socket.in has wrong kdc service name for Debian
#6834 ipa-kdc-proxy.conf.template hardcodes python module directory
#6822 git-commit-template: update ticket URL to use pagure.io instead of fedorahosted.org
#6818 Update asn1c code in /asn1/asn1c
#6809 Failed to write schema: b’sudo/1’ is not JSON serializable
#6745 [test] ipa whoami command
#6725 No page for information on build from source
#6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP
#6591 pytest 3.0: yield tests are deprecated
#5990 Py3: zonemgr_callback: expected unicode, got bytes
#5919 cert-request rfc822Name check compares whole email address case-sensitively
#4985 [RFE] Support Python 3
Detailed changelog since 4.5.3#
Alexander Bokovoy (13)#
ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later commit #6877
ipa-sam: use own private structure, not ldapsam_privates commit #6877
trust-mod: allow modifying list of UPNs of a trusted forest commit #7015
ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736
trust: always use oddjobd helper for fetching trust information commit
adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786
server: make sure we test for sss_nss_getlistbycert commit #6828
ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797
Abhijeet Kasurde (6)#
Alex Zeleznikov (1)#
Sort SRV records by priority commit
Aleksei Slaikovskii (3)#
Ben Lipton (4)#
Christian Heimes (40)#
Silence pytest.yield_fixture deprecation warning commit #6591
Slim down dependencies commit
Band-aid for pip dependency bug commit
tox testing support for client wheel packages commit
Stabilize make pypi_packages commit
Replace hard-coded kdcproxy path with WSGI script commit #6834
Don’t hard-code with_wheels commit
Add an option to build ipaserver wheels commit
Add extra_requires for additional dependencies commit
Conditionally import pyhbac commit
Skip test_session_storage in ipaclient unittest mode commit
session storage parameters must be bytes commit
Fix ipatests.util doc tests commit
Use Custodia 0.3.1 features commit
pytest 3.x compatibility commit
Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798
Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798
Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798
Move config module to ipatests.pytest_plugins.integration.config commit #6798
Increase Apache HTTPD’s default keep alive timeout commit
Add debug logging for keep-alive commit
Python 3: Fix session storage commit
Fix Python 3 pylint errors commit
David Kreitschmann (4)#
David Kupka (22)#
tests: certmap: Add test for user-{add,remove}-certmap commit #7105
tests: certmap: Add test for certmapconfig-{mod,show} commit #7105
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105
tests: certmap: Add basic tests for certmaprule commands commit #7105
tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105
tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105
tests: tracker: Split Tracker into one-purpose Trackers commit #7105
install: replica: Show message about key synchronization commit #6940
kra: promote: Get ticket before calling custodia commit #7020
ipapython.ipautil.run: Add option to set umask before executing command commit #6831
otptoken-add-yubikey: When –digits not provided use default value commit #6900
Create system users for FreeIPA services during package installation commit #6743
WebUI: cert login: Configure name of parameter used to pass username commit #6860
httpinstance.disable_system_trust: Don’t fail if module ‘Root Certs’ is not available commit #6803
spec file: Bump requires to make Certificate Login in WebUI work commit #6823
rpcserver.login_x509: Actually return reply from __call__ method commit #6819
Create temporaty directories at the begining of uninstall commit #6715
ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738
felipe (1)#
Felipe Volpone (3)#
Felipe Volpone (5)#
Adding section “Building FreeIPA from source” on README commit #6725
Changing cert-find to go through the proxy instead of using the port 8080 commit #6966
Changing cert-find to do not use only primary key to search in LDAP. commit #6948
Fixing the cert-request comparing whole email address case-sensitively. commit #5919
Fabiano Fidêncio (1)#
Florence Blanc-Renaud (22)#
Fix ipa-server-upgrade: This entry already exists commit #7125
ipa-replica-conncheck: handle ssh not installed commit #6935
ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925
ipa-replica-manage del (dl 0): remove server from defaultServerList commit #6946
server-del: update defaultServerList in cn=default,ou=profile,$BASE commit #6943
ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895
ipa-kra-install manpage: document domain-level 1 commit #6922
ipa-server-install with external CA: fix pkinit cert issuance commit #6921
ipa-client-install: remove extra space in pkinit_anchors definition commit #6916
upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881
ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827
idrange-add: properly handle empty –dom-name option commit #6404
ipa-ca-install man page: Add domain level 1 help commit #5831
git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org commit #6822
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813
man ipa-cacert-manage install needs clarification commit #6795
Fraser Tweedale (14)#
Fix external renewal for CA with non-default subject DN commit #7123
cert: fix application of ‘str’ to bytes when formatting otherName commit #4985
py3: fix schema response for py2 server with py3 client commit #4985
Fix incorrect ‘with’ statement in CA-less installation commit #7118
Restore old version of caIPAserviceCert for upgrade only commit #7097
Add CommonNameToSANDefault to default cert profile commit #7007
Add a README to certificate profile templates directory commit #7014
Add Subject Key Identifier to CA cert validity check commit #6976
Support 8192-bit RSA keys in default cert profile commit #6319
Jan Cholasta (61)#
pylint: enable logging checks commit
logging: do not use `ipa_log_manager` to create module-level loggers commit
logging: do not log into the root logger commit
logging: do not reference loggers in arguments and attributes commit
doc: sync guide.org with cli.py commit
logging: remove object-specific loggers commit
logging: use the actual root logger as the root logger commit
logging: port to standard Python logging commit
logging: do not configure any handlers by default commit
wsgi, oddjob: remove needless uses of Env commit
config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn` commit
ldap2: remove URI argument from ldap2 constructor commit
test_ldap: drop redundant URI argument commit
{ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections commit
user, migration: use LDAPClient for ad-hoc LDAP connections commit
server upgrade: do not enable PKINIT by default commit #7000
httpinstance: wait until the service entry is replicated commit #6867
server install: fix KDC certificate validation in CA-less commit #6831, #6869
certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869
certs: do not export keys world-readable in install_key_from_p12 commit #6831
install: introduce generic Kerberos Augeas lens commit #6831
client install: fix client PKINIT configuration commit #6831
certdb, certs: make trust flags argument mandatory commit #6831
renew agent: always export CSR on IPA CA certificate renewal commit #5799
cainstance: use correct profile for lightweight CA certificates commit #5799
server upgrade: always fix certmonger tracking request commit #5799
spec file: bump krb5 Requires for certauth fixes commit #4905
renew agent, restart scripts: connect to LDAP after kinit commit #6757
renew agent: revert to host keytab authentication commit #6757
install: request service certs after host keytab is set up commit #6757
dsinstance, httpinstance: consolidate certificate request code commit #6757
httpinstance: avoid httpd restart during certificate request commit #6757
dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757
httpinstance: make sure NSS database is backed up commit #4639
certdb: fix `AttributeError` in `verify_ca_cert_validity` commit
setup, pylint, spec file: drop python-nss dependency commit
certdb: use certutil and match_hostname for cert verification commit
spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828
spec file: bump krb5-devel BuildRequires for certauth commit #4905
cert: do not limit internal searches in cert-find commit #6716
replica prepare: fix wrong IPA CA nickname in replica file commit #6777
httpinstance: clean up /etc/httpd/alias on uninstall commit #4639
tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773
René Genz (3)#
Martin Babinsky (45)#
Move tmpfiles.d configuration handling back to spec file commit #7053
Do not remove the old masters when setting the attribute fails commit #7029
*config-show: Do not show empty roles/attributes commit #7029
smart-card-advises: ensure that krb5-pkinit is installed on client commit #7036
smart card advise: use password when changing trust flags on HTTP cert commit #7036
smart card advises: use a wrapper around Bash `for` loops commit #7036
Use the compound statement formatting API for configuring PKINIT commit #7036
Fix indentation of statements in Smart card advises commit #7036
delegate formatting of compound Bash statements to dedicated classes commit #7036
advise: add an infrastructure for formatting Bash compound statements commit #7036
delegate the indentation handling in advises to dedicated class commit #7036
add a class that tracks the indentation in the generated advises commit #7036
Allow to pass in multiple CA cert paths to the smart card advises commit #7036
smart-card advises: add steps to store smart card signing CA cert commit #7036
smart-card advises: configure systemwide NSS DB also on master commit #7036
Prepare advise plugin for smart card auth configuration commit #6982
Extend the advice printing code by some useful abstractions commit #6982
fix incorrect suffix handling in topology checks commit #6965
Do not delete DS and PKI users during backup/restore tests commit #6956
test_backup_restore: do not fail on missing KrbLastSuccessfulAuth commit #6956
only stop/disable simple service if it is installed commit #6977
test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
Add the list of PKINIT servers as a virtual attribute to global config commit #6937
Add an attribute reporting client PKINIT-capable servers commit #6937
Refactor the role/attribute member reporting code commit #6937
Travis CI: Add the server uninstaller as a last step of tests commit #6950
Travis CI: explicitly update pip before running the builds commit
Do not test anonymous PKINIT after install/upgrade commit #6830
Upgrade: configure local/full PKINIT depending on the master status commit #6830
Use local anchor when armoring password requests commit #6830
Stop requesting anonymous keytab and purge all references of it commit #6830
Use only anonymous PKINIT to fetch armor ccache commit #6830
API for retrieval of master’s PKINIT status and publishing it in LDAP commit #6830
Allow for configuration of all three PKINIT variants when deploying KDC commit #6830
separate function to set ipaConfigString values on service entry commit #6830
Revert “Store GSSAPI session key in /var/run/ipa” commit #6880
Always check and create anonymous principal during KDC install commit #6799
Split out anonymous PKINIT test to a separate method commit #6792
Remove unused variable from failed anonymous PKINIT handling commit #6792
Upgrade: configure PKINIT after adding anonymous principal commit #6792
Travis CI: invoke integration test helper scripts before test execution commit
Martin Basti (63)#
baseldap: fix format string commit
IPAOptionParser: fix dict comprehension commit
py3: run already ported scripts under py3 by default commit #4985
py3: temporary set dependencies to both py2 and py3 packages commit #4985
py3: ipa_otptoken_import: fix calling unicode on bytes commit #4985
py3: ipa_otptoken_import: fix lamba code inspection commit #4985
py3: test_location_plugin: fix iteration over changed dict commit #4985
py3: test_kerberos_principal_aliases: fix code scope commit #4985
py3: travis: enable tests for plugins that are aleready working commit #4985
Travis: check for BytesWarnings in httpd error_log commit
py3: LDAPClient: remove __del__ method commit
python-netifaces: update to reflect upstream changes commit #7021
Travis: enable temporary Py3 testing commit
Travis: build only py2 packages for py2 testing commit
Build: allow to build only py2 rpms for fedora commit
replica install: add missing check for non-local IP address commit #4317
ipa-dns-install: remove check for local ip address commit #4317
Explicitly ask for py2 dependencies in py2 packages commit #4985
Only warn when specified server IP addresses don’t match intf commit #2715, #4317
py3: update_mod_nss_cipher_suite: ordering doesn’t work with None commit #4985
py3: urlfetch: use “file://” prefix with filenames commit #4985
py3: ConfigParser: replace deprecated readfd with read commit #4985
py3: use ConfigParser instead of SafeConfigParser commit #4985
custodia dep: require explictly python2 version commit #6962
adtrust: move SELinux settings to constants commit
httpd: move SELinux settings to constants commit
ipasetup: fix dependencies handling based on python version commit #6875
tests: add missing dependency iptables commit
Remove surplus ‘the’ in output of ipa-adtrust-install commit #6864
collect audit.log for easier selinux investigation commit
Set development version to 4.5.90 commit
Lewis Eason (1)#
Correct typo estabilish->establish in the install scripts commit
Michal Reznik (9)#
test_caless: add SAN dNSName extensions for wildcard tests commit #7100
test_caless: add replica ca-less to ca-full test (master caless) commit #6226, #7086
test_caless: add server_replica ca-less to ca-full test commit #7086
tests: fix external_ca test suite failing due to missing SKI commit #7099
test_caless: remove xfail in wildcard certificate tests commit #5603
test_caless: introduce new python makepki + fix SKI extension issue commit #7030
test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959
added krb5kdc.log to pytest logging commit
Nathaniel McCallum (1)#
Oliver Gutierrez (1)#
Added plugins directory to paclient subpackages commit
Petr Spacek (1)#
ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri commit
Petr Vobornik (5)#
Pavel Vomacka (34)#
Add loader.js into requirements of all HTML unit test files commit #6974
WebUI: remove creating js/libs symlink from makefile commit #6447
Revert “Web UI: Remove offline version of Web UI” commit
WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582
WebUI: fix incorrectly shown links in association tables commit #7066
WebUI: fix jslint error commit
WebUI: add support for changing trust UPN suffixes commit #7015
Change python-cryptography to python2-cryptography commit #6749
WebUI - Coverity: fix identical branches of if statement commit
WebUI - Coverity: fixed null pointer exception commit
WebUI: Coverity - add explicit window object to alert methods commit
WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772
WebUI: suppress truncation warning in select widget commit #6618
WebUI: add method for disabling item in user dropdown menu commit #3242
Rob Crittenden (2)#
Gabe (2)#
Sumit Bose (11)#
ipa_pwd_extop: do not generate NT hashes in FIPS mode commit #7026
ipa-sam: replace encode_nt_key() with E_md4hash() commit #7026
ipa-kdb: use canonical principal in certauth plugin commit #6993
ipa-kdb: reload certificate mapping rules periodically commit #6963
IPA-KDB: use relative path in ipa-certmap config snippet commit #6833
extdom: do reverse search for domain separator commit
configure: fix –disable-server with certauth plugin commit #6816
ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905
Simo Sorce (12)#
Stanislav Laznicka (97)#
Remove unused variable commit
certmonger: remove temporary workaround commit
cert: fix wrong assumption of cert-show result type commit #4985
py3: remove Exception.message appearances commit #4985, #6874
Fix cert file creation during CA-less installation commit #7118
crtmgr: fix bug if CERTMONGER_CERTIFICATE not set commit #4985
certmonger: finish refactoring for request script commit #4985
Make the IPA server run under Python 3 by default commit #4985
replica-prepare: run the script in py3 by default commit #4985
replica-conncheck: log when failed to RPC connect commit
Split x509.load_certificate() into PEM/DER functions commit #4985
README: Fix trailing whitespace commit
wsgi plugins: mod_wsgi expects bytes as an output commit #4985
adtrustinstance: pep8 fix commit
More verbose error message on kdc cert validation commit #6945
cert-validate: keep all messages in cert validation commit #6945
Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm() commit
session_storage: Correctly handle string/byte types commit #4985
rpc: avoid possible recursion in create_connection commit #6796
Make a doctext more clear commit
compat plugin: Update link to slapi-nis project commit
compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821
Move the compat plugin setup at the end of install commit #6821
Fix CAInstance.import_ra_cert for empty passwords commit #6878
replicainstall: better client install exception handling commit #6183
Remove publish_ca_cert() method from NSSDatabase commit #6806
Don’t allow setting pkinit-related options on DL0 commit #6801
Bump samba version for FIPS and priv. separation commit #6671, #6697
Add debug log in case cookie retrieval went wrong commit #6774
Thierry Bordaz (1)#
Tibor Dudlák (11)#
otptoken_yubikey.py: Removed traceback when package missing. commit #6979
topology.py: Removes error message from dictionary. commit #6533
Add –force-join into ipa-replica-install manpage commit #7011
dnsserver.py: dnsserver-find no longer returns internal server error commit #6571
server.py: Removes dns-server configuration from ldap commit #6572
client.py: Replace hardcoded ‘admin’ with options.principal commit #5406
Tibor Dudlák (2)#
Timo Aaltonen (2)#
Tomas Krizek (25)#
Become IPA 4.6.0 commit
Contributors.txt: update commit
zanata: update translations for ipa-4-6 commit
zanata: set project version to ipa-4-6 commit
prci: add caless tests commit
build: checkout *.po files at the end of makerpms.sh commit #6605
freeipa-pr-ci: enable pull-request CI commit
ipactl: log check_version exception commit
logging: make sure logging level is set to proper value commit
ipatests: do not finalize api when IPA is not configured commit #7046
ipatests: do not collect systemd journal when logfile_dir is missing commit #6971
ipatests: add systemd journal collection for multihost tests commit #6971
ipatests: change logdir naming pattern for multihost tests commit #6971
named.conf template: add modification warning commit
ca install: merge duplicated code for DM password commit #6892
kra install: update installation failure message commit #6923