The FreeIPA team would like to announce FreeIPA 4.6.4 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 27 will be available soon.
Highlights in 4.6.4#
Several changes to upgrade process so it will be more robust:
The schema compat plugin is disabled during upgrades
Verify the Custodia keys
Handle entries that already exist when adding new ones
Run the upgrade in an empty ccache
Don’t try to backup CS.cfg during upgrade if CA is not configured
Properly detect whether a KRA is configured
Set nsds5ReplicaReleaseTimeout to avoid monopolization of a master during replication
Bug fixes#
FreeIPA 4.6.4 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
5638 Port client code to Python 3
5776 webui: some data disappear from user details page after the save action is performed
5813 ipa-kra-install disrupts bind-dyndb-ldap
5922 ipa vault-archive overwrites an existing value without warning
6525 makeapi & makeaci under Python 2/3 generate different files
6531 Refactor the execution flow of `cert-request` command
6609 A CA administrator fails to add CA for Insufficient ‘add’ privilege
6721 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process
6851 Don’t use ctypes.util.find_library in ipaclient
7012 Users can delete their last active OTP token
7131 Finish Python3 support
7136 ipa-restore command doesn’t exit with failure if wrong directory manager’s password is provided
7240 ipa-dnskeysyncd broken (and ipactl doesn’t tell)
7313 trust integration tests need to override test_establish_trust method when using different trust-add options
7314 Update package metadata
7330 ipa-server-install –uninstall does not return error code on error
7335 Integration tests are not collecting all logs
7342 admins group is not including all permissions of Role “User Administrator”
7357 IntegrationTests do not fail even if the uninstall process fails
7359 [RFE] extend topology plugin to clean up a removed replica ldap/ principal
7371 uninstalling replica leaves orphained data in ldap
7374 IPA ‘Generate OTP’ option in web gui does not show OTP code when no reverse zone is managed
7380 Possible regression for limited OTP characters in host-add
7383 user-add: user creation proceeds when password is wrong
7389 F-27 upgrade to 4.6.3-1 fails with KRA update
7390 cert-request: issuance of malformed certificate causes IPA Internal Error
7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry enabling TLS in 389-ds
7394 file conflicts between python2-mod_wsgi and freeipa-server
7397 ipa host-add –ip-address… returns Internal error when forward-policy=none is defined
7411 Simplify CA, TLS and bytes warning configuration of LDAP connections
7424 Improve Realm Domains doc text
7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA
7432 make fasttest fails on fresh clone. fedora26
7433 CRL url on replicas gets incorrectly redirected
7436 ipa: Please log something after restarting the KDC
7447 test_create_host_with_ip is not fully covering possible return errors
7463 test_webui: add user life-cycles tests
7468 test_host.py::test_host::test_crud is failing in nightly tests
7472 ipa: ERROR: Could not get SOA serial interactively
7473 ERROR: No valid Negotiate header in server response
7474 ipa-server-install –uninstall on replica fails with “NoOptionError: No option ‘ldap_uri’ in section: ‘global’”
7485 Extending webui user group test
7493 ipa-replica-install fails with ERROR 400 Client Error when master has httpd 2.4.33-2.fc27
7503 multiple occurrences of profileId in certprofile causes incorrect behaviour
7505 WebUI tests: Extend netgroup tests
7510 validate_selinuxuser does not allow a period in selinux user identifier
7519 Adding SSH keys for AD users as I created overrides
7520 ipa certmap-match throwing “ipa: ERROR: an internal error has occurred”
7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain
7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing
7540 Extend WebUI test_krbpolicy suite with the following test cases:
7542 CLI and Web UI allow to add more then one radius server into radius proxy
7544 ui_tests: extend test_selinuxusermap.py suite
7546 ui_tests: improve “field_validation” method
7547 ui_tests: checkbox click fix
7550 [WebUI] extend host test suite
Detailed changelog since 4.6.3#
Alexander Bokovoy (7)#
group-del: add a warning to logs when password policy could not be removed
pylint3: workaround false positives reported for W1662
idoverrideuser-add: allow adding ssh key in web ui
ACL: Allow hosts to remove services they manage
replication: support error messages from 389-ds 1.3.5 or later
upgrade: treat duplicate entry when updating as not an error
upgrade: Run configuration upgrade under empty ccache collection
Alexander Koksharov (2)#
Fix replica_promotion-domlevel0 test failures
preventing ldap principal to be deleted
Amit Kumar (3)#
ipa vault-archive overwrites an existing value without warning
Error message while adding idrange with untrusted domain
ipa-advise for smartcards updated
Aleksei Slaikovskii (3)#
Radius proxy multiservers fix
Enable and start oddjobd after ipa-restore if it’s not running.
Fixing translation problems
Christian Heimes (27)#
Revert “Validate the Directory Manager password”
Load certificate files as binary data
Use single Custodia instance in installers
Add nsds5ReplicaReleaseTimeout to replica config
Provide ldap_uri in Custodia uninstaller
Defer import of ipaclient.csrgen
Require more recent glibc on F27
More cleanup after uninstall
Pylint 1.8.3 fixes
Relax message check in test_create_host_with_ip
freeipa-server no longer supports i686 arch on F28
Unified ldap_initialize() function
Fix multiple uninstallation of server
Fix i18n test for Chinese translation
Run API and ACI under Python 2 and 3
Generate same API.txt under Python 2 and 3
Replace wsgi package conflict with config file
Restart named-pkcs11 after KRA installation
Update existing 389-DS cn=RSA,cn=encryption config
Bump python-ldap version to fix syncrepl bug
Bump SELinux policy for DNSSEC
ipa-server-upgrade now checks custodia server keys
DNSSEC code cleanup
DNSSEC: Reformat lines to address PEP8 violations
Decode ODS commands
Run DNSSEC under Python 3
More DNSSEC house keeping
Felipe Barreto (16)#
Adding xfail to failing tests
Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
Adding GSSPROXY_CONF to be backed up on ipa-backup
Fixing cleanup process in test_caless
WebUI Tests: changing the ActionsChains.move_to_element to a new approach
WebUI Tests: fixing test_user.py::test_test_noprivate_posix
WebUI Tests: Changing how the initial load process is done
WebUI Tests: fixing test_range test case
WebUI Tests: changing how the login screen is detected
WebUI Tests: refactoring login method to be more readable
WebUI Tests: fixing test_navigation
WebUI Tests: fixing test_group
WebUI Tests: fixing test_hbac
Check if replication agreement exist before enable/disable it
Make IntegrationTest fail if an error happened during uninstall
IntegrationTests now collects logs from all test methods
Florence Blanc-Renaud (9)#
Test for 7526
ipa-server-install: publish complete cert chain in
/usr/share/ipa/html/ca.crt
ACI: grant access to admins group instead of admin user
ipa-replica-install: make sure that certmonger picks the right master
ipa-server-install: handle error when calling kdb5_util create
ipa host-add: do not raise exception when reverse record not added
389-ds OTP lasttoken plugin: Add unit test
User must not be able to delete his last active otp token
ipa host-add –ip-address: properly handle NoNameservers
Fraser Tweedale (14)#
csrgen: fix when attribute shortname is lower case
csrgen: drive-by docstring
csrgen: support initialising OpenSSL adaptor with key object
py3: fix csrgen error handling
certprofile: add tests for config profileId scenarios
certprofile: reject config with multiple profileIds
install: configure dogtag status request timeout
Fix upgrade (update_replica_config) in single master mode
replica-install: warn when there is only one CA in topology
ldap2: fix implementation of can_add
ipaldap: allow GetEffectiveRights on individual operations
Update IPA CA issuer DN upon renewal
cert-request: avoid internal error when cert malformed
Improve warning message for malformed certificates
Ganna Kaihorodova (3)#
Fix trust tests for Posix Support
Fix in IPA’s multihost fixture
Overide trust methods for integration tests
Martin Basti (2)#
py3: bindmgr: fix iteration over bytes
py3: ipa-dnskeysyncd: fix bytes issues
Michal Reznik (33)#
ui_tests: add click_undo_button() func
ui_tests: extend test_selinuxusermap.py suite
ui_tests: improve “field_validation” method
ui_tests: checkbox click fix
ui_tests: introduce new test_misc cases file
ui_driver: extension and modifications related to test_user
ui_tests: extend test_user suite
test_web_ui: extend ui_driver methods
test_webui: add user life-cycles tests
ui_tests: run ipa-get/rmkeytab command on UI host
ui_tests: select_combobox() fixes
ui_tests: test cancel and delete without button
ui_tests: make associations cancelable
ui_tests: add function to run cmd on UI host
ui_tests: add funcs to add/remove users public SSH key
ui_tests: add assert_field_required()
ui_tests: add assert_notification()
ui_tests: add more test cases
ui_tests: add more test cases to test_certification
ui_tests: add_service() support func in test_service
ui_tests: add_host() support func in test_service
ui_tests: change get_http_pkey() function
test_caless: adjust try/except to capture also IOError
ipa_tests: test signing request with subca on replica
test_caless: test PKINIT install and anchor update
tests: move CA related modules to pytest_plugins
test_external_ca: selfsigned->ext_ca->selfsigned
test_tasks: add sign_ca_and_transport() function
paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
test_renewal_master: add ipa csreplica-manage test
test_help: test “help” command without cache
test_x509: test very long OID
ipa_tests: test subca key replication
Varun Mylaraiah (4)#
Extend WebUI test_krbpolicy suite with the following test cases:
test_verifying_button (verify button’s action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit
WebUI tests: Extend netgroup tests with more scenarios
Fixed improper clean-up in test_host::test_kerberos_flags added
closing the notification in kerberos flags
WebUI tests: Extend user group tests with more scenarios
Mohammad Rizwan Yusuf (5)#
Test to check second replica installation after master restore
Updated the TestExternalCA with the functions introduced for the steps
of external CA installation.
When the dirsrv service, which gets started during the first
ipa-server-install –external-ca phase, is not running when the second phase is run with –external-cert-file options, the ipa-server-install command fail.
Before the fix, when ipa-backup was called for the first time, the
LDAP database exported to /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.
IANA reserved IP address can not be used as a forwarder. This test
checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
Nathaniel McCallum (3)#
Revert “Don’t allow OTP or RADIUS in FIPS mode”
Increase the default token key size
Fix OTP validation in FIPS mode
Petr Čech (1)#
webui:tests: Add tests for realmd domains
Pavel Picka (2)#
Adding WebUI Host test cases
WebUI Hostgroups tests cases added
Petr Vobornik (8)#
Fix test_server_del::TestLastServices
server-del do not return early if CA renewal master cannot be changed
webui: refresh complex pages after modification
webui tests: fix test_host:test_crud failure
webui:tests: close big notifications in realm domains tests
webui:tests: realm domain add with DNS check
webui:tests: move DNS test data to separate file
fastcheck: do not test context in pycodestyle
Rob Crittenden (18)#
Disable Schema Compat plugin during server upgrade
Add tests for ipa-restore with DM password validation check
Validate the Directory Manager password before starting restore
Don’t try to set Kerberos extradata when there is no principal
Require mod_nss 1.0.14-7 to fix reverse proxy in mod_nss
Validate the Directory Manager password before starting restore
Log service start/stop/restart message
Update project metadata in ipasetup.py.in
Redirect CRL requests to the http port, not the https port
Allow dot as a valid character in an selinux identity name
Break out of teardown in test_replica_promotion.py if no config
Remove the Continuous installer class, it is unused
Return a value if exceptions are raised in server uninstall
Don’t try to backup CS.cfg during upgrade if CA is not configured
Don’t return None on mismatched interactive passwords
Fix detection of KRA installation so upgrades can succeed
Move Requires: pythonX-sssdconfig into conditional
Robbie Harwood (2)#
Fix elements not being removed in otpd_queue_pop_msgid()
Log errors from NSS during FIPS OTP key import
Sumit Bose (2)#
ipa-kdb: update trust information in all workers
ipa-kdb: use magic value to check if ipadb is used
John L (1)#
Remove special characters in host_add random OTP generation
Stanislav Laznicka (7)#
Travis: ignore ‘line break after binary operator’
Allow user administrator to change user homedir
Add absolute_import future imports
Travis: test IPA 4.6 on F27
replica-install: pass –ip-address to client install
Remove py35 env from tox testing
vault: fix vault-retrieve to a file
Tomas Krizek (2)#
py3 dnssec: convert hexlify to str
py3: bindmgr: fix bytes issues