The FreeIPA team would like to announce FreeIPA 4.6.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 26 and 27 will be available in the official COPR repository.

Highlights in 4.6.2

Enhancements

Known Issues

Bug fixes

FreeIPA 4.6.2 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

• #7275 Viewing DNS Records with WebUI fails

• #7254 test_caless: fix http.p12 is not valid and provide domain_level for replica tests

• #7226 Remove remaining references to Firefox configuration extension

• #7213 Increase dbus client timeouts during CA install

• #7210 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment

• #7208 freeipa: binary RPMs require both Python 2 and Python 3

• #7190 Wrong info message from tasks.py

• #7189 make check is failed

• #7187 ipa-replica-manage should provide a debug option

• #7186 testing: get back command outputs when running tests

• #7155 test_caless: add caless to external CA test

• #7154 test_external_ca: switch to python-cryptography

• #7153 Switch “ipa-run-tests” symlink to “ipa-run-tests-3.6”

• #7151 ipa-server-upgrade performs unneeded steps to stop tracking/start tracking certs

• #7148 py3: ipa cert-request –principal –database fails with BytesWarning: str() on a bytes instance

• #7142 py3: ipa ca-add fails with ‘an internal error has occurred’

• #7134 ipa param-find: command displays internal error

• #7133 tox -e pylint3 fails under Python 3.6

• #7132 [4.6] PyPI packages are broken

• #7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails due to missing dns records

• #7033 vault: TypeError: … is not JSON serializable

• #6994 RFE: Remove 389-ds tuning step

• #6858 RFE - Option to add custom OID or display name in IPA Cert

• #6844 ipa-restore fails when umask is set to 0027

• #6702 Update Dogtag to 10.4

• #5887 IDNA domains does not work under py3

• #5442 [tracker] SELinux ‘execmem’ denials

Detailed changelog since 4.6.1

Alexander Bokovoy (10)

• ipaserver/plugins/trust.py: pep8 compliance commit

• trust: detect and error out when non-AD trust with IPA domain name exists commit #7264

• ipaserver/plugins/trust.py; fix some indenting issues commit

• ipa-extdom-extop: refactor nsswitch operations commit #5464

• test_dns_plugin: cope with missing IPv6 in Travis commit

• travis-ci: collect logs from cmocka tests commit

• ipa-kdb: override krb5.conf when testing KDC code in cmocka commit

• adtrust: filter out subdomains when defining our topology to AD commit #6666

• ipa-replica-manage: implicitly ignore initial time skew in force-sync commit #7211

• ds: ignore time skew during initial replication step commit #7211

Abhijeet Kasurde (3)

• Trivial typo fix. commit

• ipatests: Fix interactive prompt in ca_less tests commit #7182

• tests: correct usage of hostname in logger in tasks commit #7190

Alexander Koksharov (1)

• kra-install: better warning message commit #6952

Aleksei Slaikovskii (6)

• ipa-restore: Set umask to 0022 while restoring commit #6844

• View plugin/command help in pager commit #7225

• Add a notice to restart ipa services after certs are installed commit #7016

• Fix TypeError while ipa-restore is restoring a backup commit #7131

• ipaclient.plugins.dns: Cast DNS name to unicode commit #7185

• Less confusing message for PKINIT configuration during install commit #7179

Christian Heimes (23)

• Update IPA_GIT_BRANCH to ipa-4-6 commit

• Add make targets for fast linting and testing commit

• Add marker needs_ipaapi and option to skip tests commit

• Add python_requires to Python package metadata commit #7294

• Remove Custodia keys on uninstall commit #7253

• Update to python-ldap 3.0.0 commit

• Update builddep command to install Python 3 and tox deps commit

• Add workaround for pytest 3.3.0 bug commit

• Fix dict iteration bug in dnsrecord_show commit #7275

• Reproducer for bug in structured dnsrecord_show commit #7275

• Use Python 3 on Travis commit

• Prevent installation of Py2 and Py3 mod_wsgi commit #7161

• libotp: add libraries after objects commit #7189

• Require UTF-8 fs encoding commit #5887

• Run tox tests for PyPI packages on Travis commit

• Py3: Fix vault tests commit #7033

• Use namespace-aware meta importer for ipaplatform commit #6474

• Test script for ipa-custodia commit

• Remove ignore_import_errors commit

• Backup ipa-custodia conf and keys commit #7247

• Py3: fix fetching of tar files commit #7131

• Use os.path.isfile() and isdir() commit

• Block PyOpenSSL to prevent SELinux execmem in wsgi commit #5442

David Kupka (2)

• schema: Fix internal error in param-{find,show} with nonexistent object commit

• tests: Add LDAP URI to ldappasswd explicitly commit #6622

Felipe Barreto (6)

• Warning the user when using a loopback IP as forwarder commit #5801

• Removing replica-s4u2proxy.ldif since it’s not used anymore commit #7174

• Fix log capture when running pytests_multihosts commands commit #7186

• Checks if replica-s4u2proxy.ldif should be applied commit #7174

• Fixing tox and pylint errors commit #7132

• Fixing param-{find,show} and output-{find,show} commands commit #7134

Florence Blanc-Renaud (10)

• Improve help message for ipa trust-add –range-type commit #7308

• Fix ca less IPA install on fips mode commit #7280

• Fix ipa-restore (python2) commit #7231

• ipa-getkeytab man page: add more details about the -r option commit #7237

• Py3: fix ipa-replica-conncheck commit #7131

• Fix ipa-replica-conncheck when called with –principal commit #7221

• py3: fix ipa cert-request –database … commit #7148

• ipa-cacert-manage renew: switch from ext-signed CA to self-signed commit #7173

• ipa-server-upgrade: do not add untracked certs to the request list commit #7151

• ipa-server-upgrade: fix the logic for tracking certs commit #7151

Fraser Tweedale (22)

• ipa_certupdate: avoid classmethod and staticmethod commit #6577

• Run certupdate after promoting to CA-ful deployment commit #7230

• ipa-ca-install: run certupdate as initial step commit #6577

• CertUpdate: make it easy to invoke from other programs commit #6577

• renew_ra_cert: fix update of IPA RA user entry commit #7282

• Use correct version of Python in RPM scripts commit #7299

• Re-enable some KRA installation tests commit #7220

• Remove caJarSigningCert profile and related code commit #7226

• CertDB: remove unused method issue_signing_cert commit #7226

• Remove XPI and JAR MIME types from httpd config commit #7226

• Remove mention of firefox plugin after CA-less install commit #7226

• ipa-cacert-manage: avoid some duplicate string definitions commit #6858

• ipa-cacert-manage: handle alternative tracking request CA name commit #6858

• Add tests for external CA profile specifiers commit #6858

• ipa-cacert-manage: support MS V2 template extension commit #6858

• certmonger: add support for MS V2 template commit #6858

• certmonger: refactor ‘resubmit_request’ and ‘modify’ commit #6858

• ipa-ca-install: add –external-ca-profile option commit #6858

• install: allow specifying external CA template commit #6858

• Remove duplicate references to external CA type commit #6858

• cli: simplify parsing of arbitrary types commit #6858

• py3: fix pkcs7 file processing commit #7131

John Morris (1)

• Increase dbus client timeouts during CA install commit

Michal Reznik (12)

• test_batch_plugin: fix py2/3 failing assertion commit #7131

• test_vault: increase WAIT_AFTER_ARCHIVE commit #7265

• test_caless: fix http.p12 is not valid commit #7254

• test_caless: fix TypeError on domain_level compare commit #7254

• manpage: ipa-replica-conncheck - fix minor typo commit #7250

• test_forced_client: decode get_file_contents() result commit #7131

• test_external_dns: add missing test cases commit #6091

• test_caless: open CA cert in binary mode commit #7131

• tests: add host zone with overlap commit #7124

• tests_py3: decode get_file_contents() result commit #7131

• test_caless: add caless to external CA test commit #7155

• test_external_ca: switch to python-cryptography commit #7154

Mohammad Rizwan Yusuf (1)

• ipatest: replica install with existing entry on master commit #7174, #7276

Petr Čech (2)

• tests: Mark failing tests as failing commit #7008, #7220

• ipatests: Fix on logs collection commit #7214

Pavel Vomacka (1)

• WebUI: make Domain Resolution Order writable commit #7169

Rob Crittenden (7)

• Run server upgrade in ipactl start/restart commit #6968

• If the cafile is not present or readable then raise an exception commit #7145

• Add test to ensure that properties are being set in rpcclient commit

• Use the CA chain file from the RPC context commit #7145

• Fix cert-find for CA-less installations commit #7202

• Use 389-ds provided method for file limits tuning commit #6994

• Collect group membership without a size limit commit #7112

Rishabh Dave (1)

• ipa-ca-install: mention REPLICA_FILE as optional in help commit #7223

Sumit Bose (1)

• ipa-kdb: reinit trusted domain data for enterprise principals commit #7172

Stanislav Laznicka (22)

• Don’t allow OTP or RADIUS in FIPS mode commit #7168

• caless tests: decode cert bytes in debug log commit

• caless tests: make debug log of certificates sensible commit

• Add indexing to improve host-find performance commit #6371

• Add the sub operation for fqdn index config commit #6371

• x509: remove subject_base() function commit

• x509: remove the strip_header() function commit

• py3: pass raw entries to LDIFWriter commit #7131

• ipatests: use python3 if built with python3 commit #7131

• PRCI: use a new template for py3 testing commit

• csrgen_ffi: cast the DN value to unsigned char * commit #7131

• Remove pkcs10 module contents commit #7131

• Add tests for CertificateSigningRequest commit #7131

• parameters: introduce CertificateSigningRequest commit #7131

• parameters: relax type checks commit #7131

• csrgen: update docstring for py3 commit #7131

• csrgen: accept public key info as Bytes commit #7131

• csrgen_ffi: pass bytes where “char *” is required commit #7131

• travis: pep8 changes to pycodestyle commit

• p11-kit: add serial number in DER format commit #7210

• travis: make tests fail if pep8 does not pass commit

• Remove the `message` attribute from exceptions commit #7131

Thierry Bordaz (1)

• 389-ds-base crashed as part of ipa-server-intall in ipa-uuid commit #7227

Tibor Dudlák (3)

• Become IPA 4.6.2 commit

• Update Contributors.txt commit

• Update zanata translations commit

Tomas Krizek (13)

• prci: define testing topologies commit

• prci: start testing PRs on fedora 27 commit

• py3 spec: remove python2 dependencies from server-trust-ad commit #7208

• py3 spec: remove python2 dependencies from freeipa-server commit #7208

• py3 spec: use proper python2 package names commit #7131

• ipatests: fix circular import for collect_logs commit

• ipatests: collect logs for external_ca test suite commit

• prci: add external_ca test commit

• ldap: limit the retro changelog to dns subtree commit #6515

• spec: bump 389-ds-base to 1.3.7.6-1 commit

• ipatests: set default 389-ds log level to 0 commit #7162

• prci: update F26 template commit

• 4.6 set back to git snapshot commit

Thorsten Scherf (1)

• Add debug option to ipa-replica-manage and remove references to api_env var. commit #7187