The FreeIPA team would like to announce FreeIPA 4.6.4 release!

It can be downloaded from Builds for Fedora 27 will be available soon.

Highlights in 4.6.4#

  • Several changes to upgrade process so it will be more robust:

    • The schema compat plugin is disabled during upgrades

    • Verify the Custodia keys

    • Handle entries that already exist when adding new ones

    • Run the upgrade in an empty ccache

    • Don’t try to backup CS.cfg during upgrade if CA is not configured

    • Properly detect whether a KRA is configured

    • Set nsds5ReplicaReleaseTimeout to avoid monopolization of a master during replication

Bug fixes#

FreeIPA 4.6.4 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • 5638 Port client code to Python 3

  • 5776 webui: some data disappear from user details page after the save action is performed

  • 5813 ipa-kra-install disrupts bind-dyndb-ldap

  • 5922 ipa vault-archive overwrites an existing value without warning

  • 6525 makeapi & makeaci under Python 2/3 generate different files

  • 6531 Refactor the execution flow of `cert-request` command

  • 6609 A CA administrator fails to add CA for Insufficient ‘add’ privilege

  • 6721 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process

  • 6851 Don’t use ctypes.util.find_library in ipaclient

  • 7012 Users can delete their last active OTP token

  • 7131 Finish Python3 support

  • 7136 ipa-restore command doesn’t exit with failure if wrong directory manager’s password is provided

  • 7240 ipa-dnskeysyncd broken (and ipactl doesn’t tell)

  • 7313 trust integration tests need to override test_establish_trust method when using different trust-add options

  • 7314 Update package metadata

  • 7330 ipa-server-install –uninstall does not return error code on error

  • 7335 Integration tests are not collecting all logs

  • 7342 admins group is not including all permissions of Role “User Administrator”

  • 7357 IntegrationTests do not fail even if the uninstall process fails

  • 7359 [RFE] extend topology plugin to clean up a removed replica ldap/ principal

  • 7371 uninstalling replica leaves orphained data in ldap

  • 7374 IPA ‘Generate OTP’ option in web gui does not show OTP code when no reverse zone is managed

  • 7380 Possible regression for limited OTP characters in host-add

  • 7383 user-add: user creation proceeds when password is wrong

  • 7389 F-27 upgrade to 4.6.3-1 fails with KRA update

  • 7390 cert-request: issuance of malformed certificate causes IPA Internal Error

  • 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry enabling TLS in 389-ds

  • 7394 file conflicts between python2-mod_wsgi and freeipa-server

  • 7397 ipa host-add –ip-address… returns Internal error when forward-policy=none is defined

  • 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections

  • 7424 Improve Realm Domains doc text

  • 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA

  • 7432 make fasttest fails on fresh clone. fedora26

  • 7433 CRL url on replicas gets incorrectly redirected

  • 7436 ipa: Please log something after restarting the KDC

  • 7447 test_create_host_with_ip is not fully covering possible return errors

  • 7463 test_webui: add user life-cycles tests

  • 7468 is failing in nightly tests

  • 7472 ipa: ERROR: Could not get SOA serial interactively

  • 7473 ERROR: No valid Negotiate header in server response

  • 7474 ipa-server-install –uninstall on replica fails with “NoOptionError: No option ‘ldap_uri’ in section: ‘global’”

  • 7485 Extending webui user group test

  • 7493 ipa-replica-install fails with ERROR 400 Client Error when master has httpd 2.4.33-2.fc27

  • 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour

  • 7505 WebUI tests: Extend netgroup tests

  • 7510 validate_selinuxuser does not allow a period in selinux user identifier

  • 7519 Adding SSH keys for AD users as I created overrides

  • 7520 ipa certmap-match throwing “ipa: ERROR: an internal error has occurred”

  • 7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain

  • 7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing

  • 7540 Extend WebUI test_krbpolicy suite with the following test cases:

  • 7542 CLI and Web UI allow to add more then one radius server into radius proxy

  • 7544 ui_tests: extend suite

  • 7546 ui_tests: improve “field_validation” method

  • 7547 ui_tests: checkbox click fix

  • 7550 [WebUI] extend host test suite

Detailed changelog since 4.6.3#

Alexander Bokovoy (7)#

  • group-del: add a warning to logs when password policy could not be removed

  • pylint3: workaround false positives reported for W1662

  • idoverrideuser-add: allow adding ssh key in web ui

  • ACL: Allow hosts to remove services they manage

  • replication: support error messages from 389-ds 1.3.5 or later

  • upgrade: treat duplicate entry when updating as not an error

  • upgrade: Run configuration upgrade under empty ccache collection

Alexander Koksharov (2)#

  • Fix replica_promotion-domlevel0 test failures

  • preventing ldap principal to be deleted

Amit Kumar (3)#

  • ipa vault-archive overwrites an existing value without warning

  • Error message while adding idrange with untrusted domain

  • ipa-advise for smartcards updated

Aleksei Slaikovskii (3)#

  • Radius proxy multiservers fix

  • Enable and start oddjobd after ipa-restore if it’s not running.

  • Fixing translation problems

Christian Heimes (27)#

  • Revert “Validate the Directory Manager password”

  • Load certificate files as binary data

  • Use single Custodia instance in installers

  • Add nsds5ReplicaReleaseTimeout to replica config

  • Provide ldap_uri in Custodia uninstaller

  • Defer import of ipaclient.csrgen

  • Require more recent glibc on F27

  • More cleanup after uninstall

  • Pylint 1.8.3 fixes

  • Relax message check in test_create_host_with_ip

  • freeipa-server no longer supports i686 arch on F28

  • Unified ldap_initialize() function

  • Fix multiple uninstallation of server

  • Fix i18n test for Chinese translation

  • Run API and ACI under Python 2 and 3

  • Generate same API.txt under Python 2 and 3

  • Replace wsgi package conflict with config file

  • Restart named-pkcs11 after KRA installation

  • Update existing 389-DS cn=RSA,cn=encryption config

  • Bump python-ldap version to fix syncrepl bug

  • Bump SELinux policy for DNSSEC

  • ipa-server-upgrade now checks custodia server keys

  • DNSSEC code cleanup

  • DNSSEC: Reformat lines to address PEP8 violations

  • Decode ODS commands

  • Run DNSSEC under Python 3

  • More DNSSEC house keeping

Felipe Barreto (16)#

  • Adding xfail to failing tests

  • Fixing


  • Adding GSSPROXY_CONF to be backed up on ipa-backup

  • Fixing cleanup process in test_caless

  • WebUI Tests: changing the ActionsChains.move_to_element to a new approach

  • WebUI Tests: fixing

  • WebUI Tests: Changing how the initial load process is done

  • WebUI Tests: fixing test_range test case

  • WebUI Tests: changing how the login screen is detected

  • WebUI Tests: refactoring login method to be more readable

  • WebUI Tests: fixing test_navigation

  • WebUI Tests: fixing test_group

  • WebUI Tests: fixing test_hbac

  • Check if replication agreement exist before enable/disable it

  • Make IntegrationTest fail if an error happened during uninstall

  • IntegrationTests now collects logs from all test methods

Florence Blanc-Renaud (9)#

  • Test for 7526

  • ipa-server-install: publish complete cert chain in


  • ACI: grant access to admins group instead of admin user

  • ipa-replica-install: make sure that certmonger picks the right master

  • ipa-server-install: handle error when calling kdb5_util create

  • ipa host-add: do not raise exception when reverse record not added

  • 389-ds OTP lasttoken plugin: Add unit test

  • User must not be able to delete his last active otp token

  • ipa host-add –ip-address: properly handle NoNameservers

Fraser Tweedale (14)#

  • csrgen: fix when attribute shortname is lower case

  • csrgen: drive-by docstring

  • csrgen: support initialising OpenSSL adaptor with key object

  • py3: fix csrgen error handling

  • certprofile: add tests for config profileId scenarios

  • certprofile: reject config with multiple profileIds

  • install: configure dogtag status request timeout

  • Fix upgrade (update_replica_config) in single master mode

  • replica-install: warn when there is only one CA in topology

  • ldap2: fix implementation of can_add

  • ipaldap: allow GetEffectiveRights on individual operations

  • Update IPA CA issuer DN upon renewal

  • cert-request: avoid internal error when cert malformed

  • Improve warning message for malformed certificates

Ganna Kaihorodova (3)#

  • Fix trust tests for Posix Support

  • Fix in IPA’s multihost fixture

  • Overide trust methods for integration tests

Martin Basti (2)#

  • py3: bindmgr: fix iteration over bytes

  • py3: ipa-dnskeysyncd: fix bytes issues

Michal Reznik (33)#

  • ui_tests: add click_undo_button() func

  • ui_tests: extend suite

  • ui_tests: improve “field_validation” method

  • ui_tests: checkbox click fix

  • ui_tests: introduce new test_misc cases file

  • ui_driver: extension and modifications related to test_user

  • ui_tests: extend test_user suite

  • test_web_ui: extend ui_driver methods

  • test_webui: add user life-cycles tests

  • ui_tests: run ipa-get/rmkeytab command on UI host

  • ui_tests: select_combobox() fixes

  • ui_tests: test cancel and delete without button

  • ui_tests: make associations cancelable

  • ui_tests: add function to run cmd on UI host

  • ui_tests: add funcs to add/remove users public SSH key

  • ui_tests: add assert_field_required()

  • ui_tests: add assert_notification()

  • ui_tests: add more test cases

  • ui_tests: add more test cases to test_certification

  • ui_tests: add_service() support func in test_service

  • ui_tests: add_host() support func in test_service

  • ui_tests: change get_http_pkey() function

  • test_caless: adjust try/except to capture also IOError

  • ipa_tests: test signing request with subca on replica

  • test_caless: test PKINIT install and anchor update

  • tests: move CA related modules to pytest_plugins

  • test_external_ca: selfsigned->ext_ca->selfsigned

  • test_tasks: add sign_ca_and_transport() function

  • paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants

  • test_renewal_master: add ipa csreplica-manage test

  • test_help: test “help” command without cache

  • test_x509: test very long OID

  • ipa_tests: test subca key replication

Varun Mylaraiah (4)#

  • Extend WebUI test_krbpolicy suite with the following test cases:

test_verifying_button (verify button’s action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit

  • WebUI tests: Extend netgroup tests with more scenarios

  • Fixed improper clean-up in test_host::test_kerberos_flags added

closing the notification in kerberos flags

  • WebUI tests: Extend user group tests with more scenarios

Mohammad Rizwan Yusuf (5)#

  • Test to check second replica installation after master restore

  • Updated the TestExternalCA with the functions introduced for the steps

of external CA installation.

  • When the dirsrv service, which gets started during the first

ipa-server-install –external-ca phase, is not running when the second phase is run with –external-cert-file options, the ipa-server-install command fail.

  • Before the fix, when ipa-backup was called for the first time, the

LDAP database exported to /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.

  • IANA reserved IP address can not be used as a forwarder. This test

checks if ipa server installation throws an error when is specified as forwarder IP address.

Nathaniel McCallum (3)#

  • Revert “Don’t allow OTP or RADIUS in FIPS mode”

  • Increase the default token key size

  • Fix OTP validation in FIPS mode

Petr Čech (1)#

  • webui:tests: Add tests for realmd domains

Pavel Picka (2)#

  • Adding WebUI Host test cases

  • WebUI Hostgroups tests cases added

Petr Vobornik (8)#

  • Fix test_server_del::TestLastServices

  • server-del do not return early if CA renewal master cannot be changed

  • webui: refresh complex pages after modification

  • webui tests: fix test_host:test_crud failure

  • webui:tests: close big notifications in realm domains tests

  • webui:tests: realm domain add with DNS check

  • webui:tests: move DNS test data to separate file

  • fastcheck: do not test context in pycodestyle

Rob Crittenden (18)#

  • Disable Schema Compat plugin during server upgrade

  • Add tests for ipa-restore with DM password validation check

  • Validate the Directory Manager password before starting restore

  • Don’t try to set Kerberos extradata when there is no principal

  • Require mod_nss 1.0.14-7 to fix reverse proxy in mod_nss

  • Validate the Directory Manager password before starting restore

  • Log service start/stop/restart message

  • Update project metadata in

  • Redirect CRL requests to the http port, not the https port

  • Allow dot as a valid character in an selinux identity name

  • Break out of teardown in if no config

  • Remove the Continuous installer class, it is unused

  • Return a value if exceptions are raised in server uninstall

  • Don’t try to backup CS.cfg during upgrade if CA is not configured

  • Don’t return None on mismatched interactive passwords

  • Fix detection of KRA installation so upgrades can succeed

  • Move Requires: pythonX-sssdconfig into conditional

Robbie Harwood (2)#

  • Fix elements not being removed in otpd_queue_pop_msgid()

  • Log errors from NSS during FIPS OTP key import

Sumit Bose (2)#

  • ipa-kdb: update trust information in all workers

  • ipa-kdb: use magic value to check if ipadb is used

John L (1)#

  • Remove special characters in host_add random OTP generation

Stanislav Laznicka (7)#

  • Travis: ignore ‘line break after binary operator’

  • Allow user administrator to change user homedir

  • Add absolute_import future imports

  • Travis: test IPA 4.6 on F27

  • replica-install: pass –ip-address to client install

  • Remove py35 env from tox testing

  • vault: fix vault-retrieve to a file

Tomas Krizek (2)#

  • py3 dnssec: convert hexlify to str

  • py3: bindmgr: fix bytes issues