The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories.
Highlights in 4.6.90.pre2#
The major new features of this release are:
Switch from using mod_nss for the Apache TLS engine to using mod_ssl. Upgrading will move the certificates and keys from /etc/httpd/alias to /var/lib/ipa/certs/.
Switch time client and server from ntp to chrony.
Switch from using authconfig to authselect to configure the PAM stack.
Kerberos clients can now use SPAKE to strengthen their handshake with a FreeIPA KDC based on elliptic curve cryptography. See IETF draft draft-ietf-kitten-krb-spake-preauth-05 and relevant portions of krb5.conf(5) and kdc.conf(5) for details. SPAKE is enabled for new IPA servers and clients by default.
Thanks to our translation volunteers, FreeIPA 4.6.90.pre2 sees a major update for Chinese, French, Russian, and Ukrainian languages.
Known Issues#
Bug fixes#
FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a part of 4.7.0.
There are more than 70 bug-fixes details of which can be seen ina the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
7530 external CA replica installation fails with CA_UNREACHABLE
7529 AVC denials and errors for IPA server installed on Fedora28
7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template
7523 external CA installation: step two reports self-signed configuration
7520 ipa certmap-match throwing “ipa: ERROR: an internal error has occurred”
7519 Adding SSH keys for AD users as I created overrides
7518 Improve Custodia client and key distribution handling
7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf
7514 Allow to create Kerberos services without a corresponding host object
7513 Allow Kerberos services to be members of IPA groups
7512 Missing dependency for freeipa-client: python3-augeas
7510 validate_selinuxuser does not allow a period in selinux user identifier
7508 Trust tests for Posix support are failing with Assertion Error None on Windows Server 2016
7507 ui_tests: extend test_user suite
7505 WebUI tests: Extend netgroup tests
7503 multiple occurrences of profileId in certprofile causes incorrect behaviour
7499 Integration tests dns_location in regards of check NTP records failing
7498 [F28] CA replica fails with could not find certificate named “caSigningCert cert-pki-ca”
7496 csrgen fails if subject base contains lower-case attribute names
7490 installutils.set_directive doesn’t handle debian ssl.conf properly
7489 Test test_caless_TestCertInstall is failing in nightly
7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases
7486 Allow hosts to delete their own services
7485 Extending webui user group test
7484 Load ipaclient.csrgen on demand to speed up CLI
7478 [F28] ipa-backup fails with “Failed to execute authconfig command”
7474 ipa-server-install –uninstall on replica fails with “NoOptionError: No option ‘ldap_uri’ in section: ‘global’”
7473 ERROR: No valid Negotiate header in server response
7470 TestBasicADTrust.test_ipauser_authentication is failing with error “Confidentiality required”
7469 ipa-replica-prepare fail with “stat: path should be string, bytes, os.PathLike or integer, not NoneType”
7468 test_host.py::test_host::test_crud is failing in nightly tests
7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
7463 test_webui: add user life-cycles tests
7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement
7459 [RFE] replica-install: warn when only one CA exists in topology
7458 ui_tests: extend test_hostgroup.py suite
7456 ipa otptoken-add should use LDAP Whoami call
7454 Upgrade from F27 to F28 produces an error while updating ipa.conf.template
7450 “This entry already exists” error when upgrading on IPA 4.5
7442 Replication agreement status incorrectly checked
7441 ui_tests: extend test_service.py suite
7436 ipa: Please log something after restarting the KDC
7427 User Administrator doesn’t have enough privileges to edit homeDirectory attribute
7426 DogtagInstance.backup_config creates backup with wrong owner
7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA
7424 Improve Realm Domains doc text
7421 Store HTTPD private keys encrypted
7415 CA installer need to check availability of port 8080
7410 ipa-replica-install –add-agents option doesn’t install trust-agent on replica
7377 Investigate and define plan of authconfig replacement in FreeIPA
7376 clear sssd cache when uninstalling client
7366 RFE: ipa client should setup openldap for GSSAPI
7330 ipa-server-install –uninstall does not return error code on error
7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug
7041 [ipa-replica-install] - KDC has no support for encryption type - reoccurence in multireplica scenario
7024 freeipa depends on ntp
6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
6843 ipa-backup does not create log file at /var/log/
5776 webui: some data disappear from user details page after the save action is performed
5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests
4853 Utilize system-wide crypto-policies
Detailed changelog since 4.6.90.pre1#
Alexander Bokovoy (13)#
group: allow services as members of groups
service: allow creating services without a host to manage them
group-del: add a warning to logs when password policy could not be removed
idoverrideuser-add: allow adding ssh key in web ui
ACL: Allow hosts to remove services they manage
install: validate AD trust-related options in installers
replication: support error messages from 389-ds 1.3.5 or later
upgrade: treat duplicate entry when updating as not an error
Allow anonymous access to parentID attribute
upgrade: Run configuration upgrade under empty ccache collection
use LDAP Whoami command when creating an OTP token
Update template directory with new variables when upgrading ipa.conf.template
Processing of server roles should ignore errors.EmptyResult
Alexey Slaykovsky (1)#
Make tox tests to generate results in JUnit XML
amitkuma (5)#
RFE: ipa client should setup openldap for GSSAPI
Correcting detect typo in server.m4
Correction of management spelling.
clear sssd cache when uninstalling client
clear sssd cache when uninstalling client
Anuja More (2)#
Adding test-cases for ipa-cacert-manage
Adding test-cases for ipa-cacert-manage
Christian Heimes (32)#
Revert “Validate the Directory Manager password”
Create missing /etc/httpd/alias for ipasession.key
Only run subset of external CA tests
Require Dogtag 10.6.1
Require nss with fix for nickname bug
ipa-client package needs sssd-tool
Make ipatests’ create_external_ca a script
Load certificate files as binary data
Remove contrib/nssciphersuite
Compatibility with pytest 3.4
Use shutil to copy file
Use single Custodia instance in installers
Add augeas dependency to client package
Create users in server-common pre hook
Require 389-ds-base >= 1.4.0.8-1
CA replica PKCS12 workaround for SQL NSSDB
Add nsds5ReplicaReleaseTimeout to replica config
Fix Python dependencies
Remove os.chdir() from test_ipap11helper
certdb: Move chdir into subprocess call
Provide ldap_uri in Custodia uninstaller
Defer import of ipaclient.csrgen
Require more recent glibc on F27
Load librpm on demand for IPAVersion
Fix installer CA port check for port 8080
Temporarily disable authconfig backup and restore
Cleanup and remove more files on uninstall
Fix compatibility with latest pytest
More cleanup after uninstall
Require Dogtag PKI >= 10.6
Keep owner when backing up CA.cfg
Pylint 1.8.3 fixes
Felipe Barreto (10)#
Fixing tests on TestReplicaManageDel
Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
Adding GSSPROXY_CONF to be backed up on ipa-backup
Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
Fix TestSubCAkeyReplication providing the right path to pki log
temp commit: adding test to PR CI run
Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
Changing Django’s CoC to reflect FreeIPA CoC
Adding Django’s Code of Conduct
Florence Blanc-Renaud (8)#
authselect migration: use stable interface to query current config
authselect test: skip test if authselect is not available
ipa-advise: adapt config-client-for-smart-card-auth to authselect
Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
New tests for authselect migration
Migration from authconfig to authselect
ipa-advise config-server-for-smart-card-auth: use mod-ssl
ipa-replica-install: make sure that certmonger picks the right master
Fraser Tweedale (12)#
install: fix reported external CA configuration
csrgen: fix when attribute shortname is lower case
csrgen: drive-by docstring
csrgen: support initialising OpenSSL adaptor with key object
py3: fix csrgen error handling
certprofile: add tests for config profileId scenarios
certprofile: reject config with multiple profileIds
Fix upgrade (update_replica_config) in single master mode
Add commentary about PKI admin password
Fix upgrade when named.conf does not exist
replica-install: warn when there is only one CA in topology
install: configure dogtag status request timeout
Ganna Kaihorodova (5)#
Fix trust tests for Posix Support
Fix for integration tests dns_locations
Fix in IPA’s multihost fixture
TestBasicADTrust.test_ipauser_authentication
Fix for test TestInstallMasterReservedIPasForwarder
Takeshi MIZUTA (1)#
Fix some typos in man page
Michal Reznik (18)#
ui_tests: introduce new test_misc cases file
ui_driver: extension and modifications related to test_user
ui_tests: extend test_user suite
test_web_ui: extend ui_driver methods
test_webui: add user life-cycles tests
ui_tests: run ipa-get/rmkeytab command on UI host
ui_tests: select_combobox() fixes
ui_tests: test cancel and delete without button
ui_tests: make associations cancelable
ui_tests: add function to run cmd on UI host
ui_tests: add funcs to add/remove users public SSH key
ui_tests: add assert_field_required()
ui_tests: add assert_notification()
ui_tests: add more test cases
ui_tests: add more test cases to test_certification
ui_tests: add_service() support func in test_service
ui_tests: add_host() support func in test_service
ui_tests: change get_http_pkey() function
Varun Mylaraiah (3)#
WebUI tests: Extend netgroup tests with more scenarios
Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags
WebUI tests: Extend user group tests with more scenarios
Pavel Picka (1)#
WebUI Hostgroups tests cases added
Petr Vobornik (4)#
webui: refresh complex pages after modification
Fix order of commands in test for removing topology segments
webui tests: fix test_host:test_crud failure
realm domains: improve doc text
Rob Crittenden (16)#
Fix certificate retrieval in ipa-replica-prepare for DL0
Disable message about log in ipa-backup if IPA is not configured
Use a regex in installutils.get_directive instead of line splitting
Handle whitespace, add separator to regex in set_directive_lines
Validate the Directory Manager password before starting restore
Log service start/stop/restart message
Update project metadata in ipasetup.py.in
Allow dot as a valid character in an selinux identity name
Remove xfail from CALes test test_http_intermediate_ca
Some PKCS#12 errors are reported with full path names
ipa-server-certinstall failing, unknown option realm
Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
Break out of teardown in test_replica_promotion.py if no config
Remove the Continuous installer class, it is unused
Return a value if exceptions are raised in server uninstall
VERSION.m4: Set back to git snapshot
Robbie Harwood (2)#
Move krb5 snippet into freeipa-client-common
Enable SPAKE support using krb5.conf.d snippet
Stanislav Laznicka (11)#
Allow user administrator to change user homedir
mod_ssl: add SSLVerifyDepth for external CA installs
Add absolute_import to test_authselect
Fix typo in ipa-getkeytab –help
Add absolute_import future imports
replica-install: pass –ip-address to client install
ipa_backup: Backup the password to HTTPD priv key
Fix upgrading of FreeIPA HTTPD
Remove py35 env from tox testing
Encrypt httpd key stored on disk
Dogtag configs: rename deprecated options
Thierry Bordaz (1)#
Hardening of topology plugin to prevent erronous deletion of a replica agreement
Tibor Dudlák (14)#
Use temporary pid file for chronyd -q task
Fix format string passed to pytest-multihost
Configure chrony with pool when server not set
Add enabling chrony daemon when not configured
Remove unnecessary option –force-chrony
Remove NTP server role while upgrading
Removes NTP server role from servroles and description
Update man pages for FreeIPA client, replica and server install
Adding method to ipa-server-upgrade to cleanup ntpd
Add –ntp-pool option to installers
FreeIPA server is time synchronization client only
Replace ntpd with chronyd in installation
Add dependency and paths for chrony
Removes ntp from dependencies and behave as there is always -N option