Jump to: navigation, search

Releases/4.6.8

Release date Released 2020-04-02

The FreeIPA team would like to announce FreeIPA 4.6.8 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Highlights in 4.6.8

  • 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.

  • 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.

  • 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.

  • 8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.

  • 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.

Enhancements

Known Issues

Bug fixes

FreeIPA 4.6.8 is a stabilization release for the features delivered as a part of 4.6 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.


Resolved tickets

  • #4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled
  • #5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters
  • #6210 (rhbz#1364139, rhbz#1751951) When master's IP address does not resolve to its name, ipa-replica-install fails
  • #6783 (rhbz#1430365) [RFE] Host-group names command rename
  • #6951 (rhbz#1449133) Update samba config file and use sss idmap module
  • #7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
  • #7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas
  • #7470 TestBasicADTrust.test_ipauser_authentication is failing with error "Confidentiality required"
  • #7566 (rhbz#1591824) Installation of replica against a specific master
  • #7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage
  • #7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents
  • #7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd-<instance> directory
  • #7795 (rhbz#1795890) ipa-pkinit-manage enable fails on replica if it doesn't host the CA
  • #7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace
  • #7807 (rhbz#1752005) Detect container installation to avoid Kernel keyring
  • #7870 (rhbz#1680039) [certmonger][upgrade] "Failed to get request: bus, object_path and dbus_interface must not be None."
  • #7893 ipasam needs changes for Samba 4.10
  • #7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored
  • #7964 GSSAPI failure causing LWCA key replication failure on f30
  • #7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf
  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
  • #8017 (rhbz#1817927) host-add --password logs cleartext userpassword to Apache error log
  • #8026 Update pr-ci definitions with master_3client topology
  • #8029 (rhbz#1749788) ipa host-find --pkey-only includes SSH keys in output
  • #8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
  • #8058 (rhbz#1745108) ipa-4-6: ipa-client-install should not refuse single-label domains
  • #8067 (rhbz#1750700) add default access control configuration to trusted domain objects
  • #8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
  • #8077 New pylint 2.4.0 errors
  • #8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
  • #8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN
  • #8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.
  • #8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8
  • #8102 Pylint 2.4.3 + Astroid 2.3.2 errors
  • #8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
  • #8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
  • #8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
  • #8126 Nightly test failure in fedora-27/test_ca_custom_sdn
  • #8131 (rhbz#1777920) covscan memory leaks report
  • #8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL
  • #8148 (rhbz#1782587) add "systemctl restart sssd" to warning message when adding trust agents to replicas
  • #8152 ipatests: Enhance install_replica() method with promote option for ipa-4-6
  • #8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate
  • #8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update
  • #8213 Test failure in Travis CI: missing IPv6 loopback interface
  • #8219 ipatests: unify editing of sssd.conf
  • #8220 Pylint for python2 complains about import from ipaplatform
  • #8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy
  • #8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups
  • #8238 Nightly test failure in fedora-27/test_sssd
  • #8239 Actualize Bootstrap version
  • #8242 (rhbz#1788718) ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd

Detailed changelog since 4.6.7

Armando Neto (2)

  • Travis: Enable IPv6 support for Docker commit #8213
  • prci: Update box used in branch ipa-4-6 commit

Alexander Bokovoy (24)

  • Return to development snapshots commit
  • Become FreeIPA 4.6.8 commit
  • Update list of contributors commit
  • Allow rename of a host group commit #6783
  • Add 'api' and 'aci' targets to make commit
  • ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
  • ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181
  • ipatests: test sysaccount password change with a password policy applied commit #7181
  • ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
  • Fix indentation levels commit
  • Prevent adding IPA objects as external members of external groups commit #8236
  • Secure AJP connector between Dogtag and Apache proxy commit #8221
  • Tighten permissions on PKI proxy configuration commit #8221
  • install/updates: move external members past schema compat update commit #8193
  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
  • covscan: free encryption types in case there is an error commit #8131
  • Become FreeIPA 4.6.7 commit
  • Do not run trust upgrade code if master lacks Samba bindings commit #8001
  • adtrust: add default read_keys permission for TDO objects commit #8067
  • add default access control when migrating trust objects commit #8067
  • ipasam: use SID formatting calls to libsss_idmap commit #7893
  • Use unicode strings for Python 2 version commit #6951
  • ipa-extdom-extop: test timed out getgrgid_r commit #8044
  • Revert back to git snapshots commit

Anuja More (13)

  • Mark test to skip sssd-1.16.3 [sssd/issue/4073] commit
  • ipatests: User and group with same name should not break reading AD user data. commit
  • Mark xfail for tests using sssd-1.16.3 commit
  • ipatests: Added test when 2FA prompting configurations is set. commit
  • Mark xfail for sssd-version 1.16.3 commit
  • ipatests: SSSD should fetch external groups without any limit. commit
  • Add sssd.py in nightly ipa-4-6.yaml commit
  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
  • Mark xfail for test_is_user_filtered commit
  • ipatests: filter_users should be applied correctly. commit
  • Mark xfail for test_sss_ssh_authorizedkeys() commit
  • ipatests: 'sss_ssh_authorizedkeys user' should return ssh key commit
  • Extdom plugin should not return error (32)/'No such object' commit #8044

Christian Heimes (7)

François Cami (2)

  • adtrust.py: mention restarting sssd when adding trust agents commit #8148
  • prci_definitions: add master_3client topology commit #8026

Florence Blanc-Renaud (28)

  • ipatests: fix group-add-member in test_sssd commit #8238
  • ipatests: fix KeyError in test_sssd commit #8238
  • xmlrpc tests: add a test for idview-apply on a master commit #5662
  • idviews: prevent applying to a master commit #5662
  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
  • ipatests: add test for ipa-adtrust-install --add-agents commit #7600
  • ipa-adtrust-install: run remote configuration for new agents commit #7600
  • Privilege: add a helper checking if a principal has a given privilege commit #7600
  • ipatests: fix TestSubCAkeyReplication commit
  • ipatests: fix modify_sssd_conf() commit
  • test: add non-reg test checking pkinit after server install commit #7795
  • pkinit setup: fix regression on master install commit #7795
  • ipatests: add integration test for pkinit enable on replica commit #7795
  • pkinit enable: use local dogtag only if host has CA commit #7795
  • ipatests: fix backup and restore commit #8170
  • ipa-cacert-manage man page: fix indentation commit #8138
  • trust upgrade: ensure that host is member of adtrust agents commit
  • ipatests: fix test_ca_custom_sdn commit #8126
  • smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
  • ipa-backup: fix python2 issue with os.mkdir commit #8099
  • ipa-server-certinstall manpage: add missing options commit #8086
  • ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
  • ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
  • ipa user_add: do not check group if UPG is disabled commit #4972
  • replica install: enforce --server arg commit #7566
  • check for single-label domains only during server install commit #8058
  • xmlrpc test: add test for preserved > stage user commit #7597
  • user-stage: transfer all attributes from preserved to stage user commit #7597

Fraser Tweedale (8)

  • Do not renew externally-signed CA as self-signed commit #8176
  • test_integration: add tests for custom CA subject DN commit #8084
  • upgrade: fix ipakra people entry 'description' attribute commit #8084
  • krainstance: set correct issuer DN in uid=ipakra entry commit #8084
  • Bump krb5 min version commit
  • CustodiaClient: fix IPASecStore config on ipa-4-7 commit #7964
  • CustodiaClient: use ldapi when ldap_uri not specified commit #7964
  • Handle missing LWCA certificate or chain commit #7964

Gaurav Talreja (1)

  • Normalize test definations titles commit

Ganna Kaihorodova (1)

  • TestBasicADTrust.test_ipauser_authentication commit #7470

Jayesh Garg (2)

  • Test if ipactl starts services stopped by systemctl commit
  • Test for ipa-ca-install on replica commit

Kaleemullah Siddiqui (1)

  • Tests for autounmembership feature commit

Mohammad Rizwan Yusuf (7)

  • ipatests: Test if slew mode is not set while configuring ntpd commit #8242
  • Test if schema-compat-entry-attribute is set commit #8193
  • Test if schema-compat-entry-attribute is set commit #8193
  • Add promote option to install_replica() method commit #8152
  • Add test to nightly.yaml commit
  • Installation of replica against a specific server commit #7566
  • Check file ownership and permission for dirsrv log instance commit #7725

ndehadra (1)

  • Hidden Replica: Add a test for Automatic CRL configuration commit #7307

Rob Crittenden (11)

  • Don't configure ntpd with -x commit #8242
  • Test that pwpolicy only applied on Kerberos entries commit
  • Add ability to change a user password as the Directory Manager commit
  • Don't save password history on non-Kerberos accounts commit
  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
  • CVE-2019-10195: Don't log passwords embedded in commands in calls using batch commit
  • ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
  • Report if a certmonger CA is missing commit #7870
  • Don't log host passwords when they are set/modified commit #8017
  • Disable deprecated-lambda check in adtrust upgrade code commit
  • Don't return SSH keys with ipa host-find --pkey-only commit #8029

Robbie Harwood (3)

  • Fix NULL pointer dereference in maybe_require_preauth() commit
  • Log INFO message when LDAP connection fails on startup commit
  • Fix segfault in ipadb_parse_ldap_entry() commit

Sumit Bose (2)

  • ipa_sam: remove dependency to talloc_strackframe.h commit
  • extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT commit #8044

Stanislav Levin (2)

Sergey Orlov (24)

  • ipatests: remove test_ordering commit
  • ipatests: add test_trust suite to nightly runs commit
  • ipatests: add workaround for unfixed sssd bug in Fedora 27 commit
  • ipatests: use less strict check for error message commit
  • ipatests: provide AD admin password when trying to establish trust commit #7895
  • ipatests: remove workaround for pylint error no-name-in-module commit #8220
  • ipatests: temporary disable pylint check no-name-in-module commit #8220
  • ipatests: remove invalid parameter from sssd.conf commit #8219
  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219
  • ipatests: replace utility for editing sssd.conf commit #8219
  • ipatests: update docstring to reflect changes in FileBackup.restore() commit
  • ipatests: refactor FileBackup helper commit #8115
  • ipatests: fix collection of tests from test_trust suite commit
  • Add convenient template for temp commits commit
  • ipatests: add test_winsyncmigrate suite to nightly runs commit
  • ipatests: fix compatibility with python2 (import ConfigParser) commit
  • ipatests: add new utilities for file management commit
  • ipatests: add utility functions related to using and managing user accounts commit
  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
  • ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
  • ipatests: modify run_command to allow specify successful return codes commit
  • ipatests: in DNS zone file add A record for name server commit
  • ipatests: strip newline character when getting name of temp file commit
  • ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit

Sumedh Sidhaye (2)

  • Added a test to check if ipa host-find --pkey-only does not return SSH public key commit #8029
  • Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit

Simo Sorce (1)

  • Make sure to have storage space for tag commit

Serhii Tsymbaliuk (2)

  • WebUI: Fix notification area layout commit #8120
  • Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239

Tibor Dudlák (1)

  • Add container environment check to replicainstall commit #6210

Tomas Halman (4)

  • extdom: add extdom protocol documentation commit
  • extdom: use sss_nss_*_timeout calls commit
  • extdom: plugin doesn't use timeout in blocking call commit
  • extdom: plugin doesn't allow @ in group name commit