The FreeIPA team would like to announce FreeIPA 4.7.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 and Fedora 28 will be available in the official COPR repository and also published to Fedora 28 and Fedora 29 updates.
Highlights in 4.7.2#
Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.
Known Issues#
Bug fixes#
FreeIPA 4.7.2 is a stabilization release for the features delivered as a part of 4.7 release series.
There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
7779 Update PR-CI definitions to use Fedora 29
7776 authselect 1.0.2 fails on unknown feature
7772 pylint 2.2.0 violations
7769 Installer does not detect that kadmin port 749/UDP is blocked
7767 make fasttest errors because of missing python3-lib389
7758 pylint-2.1.1 errors on Fedora 29
7754 Replace archaic term messagebus with dbus
7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
7741 Smart card advise script uses hard-coded Python interpreter
7729 Bad output on failed client installation rollback
7728 RFE: Validation and better error messages when novajoin fails because of SSL errors
7723 NTP options fails on ipa replica
7671 Remove –no-sssd and –noac options
7658 [RFE] sysadm_r should be included in default SELinux user map order
7651 ipa-replica-install –setup-kra broken on DL1
7408 ipa-replica-install command should display proper message on the console.
5378 Incorrect error message at wrong password from private key file
Detailed changelog since 4.7.1#
Alexander Bokovoy (6)#
Become IPA 4.7.2
ipa-kdb: reduce LDAP operations timeout to 30 seconds
ipa-4-7: merge translations from zanata
ipaserver.install.adtrust: fix CID 323644
net groupmap: force using empty config when mapping Guests
adtrust: define Guests mapping after creating cifs/ principal
Adam Williamson (1)#
Fix authselect invocations to work with 1.0.2
Christian Heimes (35)#
Update temp commit template to F29
Increase debugging for blocked port 749 and 464
Address misc pylint issues in CLI scripts
pylint: also verify scripts
pylint: Fix duplicate-string-formatting-argument
pylint 2.2: Fix unnecessary pass statement
PR-CI: Restart rpcbind when it blocks kadmin port
Fix pytest deprecation warning
certdb: validate server cert signature
Require pylint 2.1.1-2
Silence comparison-with-itself in tests
Fix raising-format-tuple
Fix various dict related pylint warnings
Fix Module ‘pytest’ has no ‘config’ member
Fix useless-import-alias
Fix comparison-with-callable
Address consider-using-in
Ignore consider-using-enumerate for now
Address inconsistent-return-statements
Address pylint violations in lite-server
Ignore W504 code style like in travis config
Fix test_cli_fsencoding on Python 3.7, take 2
Replace messagebus with modern name dbus
Copy-paste error in permssions plugin, CID 323649
Allow ipaapi user to access SSSD’s info pipe
Fix test_cli_fsencoding on Python 3.7
ipapwd_pre_mod: NULL ptr deref
ipadb_mspac_get_trusted_domains: NULL ptr deref
has_krbprincipalkey: avoid double free
Require Dogtag 10.6.7-3
Use tasks.install_master() in external_ca tests
Keep Dogtag’s client db in external CA step 1
Replace hard-coded interpreter with sys.executable
Don’t abuse strncpy() length limitation
Fix ipadb_multires resource handling
François Cami (3)#
Add a “Find enabled services” ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Add a shared-vault-retrieve test
Add sysadm_r to default SELinux user map order
Florence Blanc-Renaud (19)#
ipatests: add upgrade test for double-encoded cacert
ipa upgrade: handle double-encoded certificates
ipatests: add xmlrpc test for user|host-find –certificate
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipatests: fix test_replica_uninstall_deletes_ruvs
ipatests: add test for ipa-replica-install options
ipa-replica-install: password and admin-password options mutually exclusive
freeipa.spec.in: add BuildRequires for python3-lib389
ipatests: add integration test for “Read radius servers” perm
radiusproxy: add permission for reading radius proxy servers
tests: add xmlrpc test for ipa user-add –radius-username
ipa user-add: add optional objectclass for radius-username
ipatest: add functional test for ipa-backup
ipa-backup: restart services before compressing the backup
ipa-replica-install –setup-adtrust: check for package ipa-server-trust-ad
ipatests: fix path in expected error message
Bump requires 389-ds-base
ipa tests: CA less
certdb: provide meaningful err msg for wrong PIN
Francisco Trivino (2)#
PR-CI: Move to Fedora 29 template, version 0.2.0
prci_definitions: update vagrant memory topology requirements
Fraser Tweedale (6)#
certdb: validate certificate signatures
Print correct subject on CA cert verification failure
certdb: ensure non-empty Subject Key Identifier
ipaldap: avoid invalid modlist when attribute encoding differs
rpc: always read response
Restore KRA clone installation integration test
Varun Mylaraiah (1)#
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Petr Vobornik (1)#
ipa-advise: update url of cacerdir_rehash tool
Rob Crittenden (10)#
Add support for multiple certificates/formats to ipa-cacert-manage
Add tests for ipa-cacert-manage install
Enable replica install info logging to match ipa-server-install
Demote log message in custodia _wait_keys to debug
Pass a list of values into add_master_dns_records
Collect the client and server uninstall logs in tests
Fix misleading errors during client install rollback
Remove the authselect profile warning if sssd was not configured.
Handle NTP configuration in a replica server installation
Enable LDAP debug output in client to display TLS errors in join
Stanislav Levin (1)#
Move ipa’s systemd tmpfiles from /var/run to /run
Sergey Orlov (2)#
ipatests: add test for ipa-restore in multi-master configuration
ipatests: add test for ipa-advise for enabling sudo for admins group
sudharsanomprakash (1)#
Don’t use deprecated Apache Access options.
Thomas Woerner (5)#
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
Fix ressource leak in client/config.c get_config_entry
Update annobin to fix continuous-integration/travis-ci/pr issues
Find orphan automember rules
ipaclient: Remove –no-sssd and –no-ac options