The FreeIPA team would like to announce FreeIPA 4.7.5 release!
FreeIPA 4.7.5 is the final release in 4.7 series. No new releases will be provided for FreeIPA 4.7 as there are no distributors using the series anymore.
Two long term support release series are available:
FreeIPA 4.6
FreeIPA 4.8
Source code for the release can be downloaded from http://www.freeipa.org/page/Downloads.
Highlights in 4.7.5#
5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.
7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.
8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn’t actually needed and thus was removed.
8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.
8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.7.5 is a stabilization release for the features delivered as a part of 4.7 version series.
There are more than 60 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#2018 Change hostname length limit to 64
#4972 check for existence of private group is done even if UPG definition is disabled
#5062 [WebUI] Unlock option is enabled for all user.
#5662 ID Views: do not allow custom Views for the masters
#6210 When master’s IP address does not resolve to its name, ipa-replica-install fails
#6843 ipa-backup does not create log file at /var/log/
#6951 Update samba config file and use sss idmap module
#7181 ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
#7307 RFE: Extend IPA to support unadvertised replicas
#7566 Installation of replica against a specific master
#7600 Enable compat tree to provide information about AD users and groups on trust agents
#7725 ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory
#7804 `ipa otptoken-sync` fails with stack trace
#7810 [F28] Require NSS with fix for p11-kit issue.
#7834 Fix certificate revocation tests for Web UI
#7870 [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”
#7895 ipa trust fetch-domains, server parameter ignored
#7908 Write tests for interactive prompt for NTP options.
#7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI
#7949 test_integration/test_nfs.py fails at cleanup
#7995 Removing TLSv1.0, TLSv1.1 from nss.conf
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8017 host-add –password logs cleartext userpassword to Apache error log
#8026 Update pr-ci definitions with master_3client topology
#8027 test_nfs.py: migrate to master_3client
#8029 ipa host-find –pkey-only includes SSH keys in output
#8034 Existing p11-kit config file is not restored on uninstall
#8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
#8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
#8067 add default access control configuration to trusted domain objects
#8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
#8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
#8077 New pylint 2.4.0 errors
#8082 Default client configuration breaks ssh in FIPS mode.
#8084 KRA authentication fails when IPA CA has custom Subject DN
#8086 ipa-server-certinstall man page does not match built-in help.
#8099 ipa-backup command is failing on rhel-7.8
#8102 Pylint 2.4.3 + Astroid 2.3.2 errors
#8113 ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
#8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
#8120 Invisible part of notification area in Web UI intercepts clicks of some page elements
#8131 covscan memory leaks report
#8138 Man page ipa-cacert-manage does not display correctly on RHEL
#8148 add “systemctl restart sssd” to warning message when adding trust agents to replicas
#8151 test_commands timing-out
#8157 NIghtly test failure in fedora-rawhide/test_webui_network
#8163 “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 Renewed certs are not picked up by IPA CAs
#8169 NIghtly test failure in fedora-rawhide/test_webui_policy
#8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
#8176 External CA is tracked for renewals and replaced with a self-signed certificate
#8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update
#8213 Test failure in Travis CI: missing IPv6 loopback interface
#8219 ipatests: unify editing of sssd.conf
#8221 Secure AJP connector between Dogtag and Apache proxy
#8226 ipa-restore does not restart httpd
#8228 Nightly failure in backup/restore while calling ‘id admin’
#8233 4.8.5 master Installation error
#8236 Enforce a check to prevent adding objects from IPA as external members of external groups
#8239 Actualize Bootstrap version
Detailed changelog since 4.7.4#
Armando Neto (6)#
Alexander Bokovoy (20)#
ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
ipatests: test sysaccount password change with a password policy applied commit #7181
ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
Fix indentation levels commit
ipatests: always skip additional input for group-add-member –external commit #8236
Prevent adding IPA objects as external members of external groups commit #8236
Secure AJP connector between Dogtag and Apache proxy commit #8221
install/updates: move external members past schema compat update commit #8193
covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
covscan: free encryption types in case there is an error commit #8131
Become FreeIPA 4.7.4 commit
Do not run trust upgrade code if master lacks Samba bindings commit #8001
adtrust: add default read_keys permission for TDO objects commit #8067
add default access control when migrating trust objects commit #8067
Update sudo test as SSSD 2.2.0 is available in the test image commit
Restore SELinux context for p11-kit config overrides commit #7810
Back to git builds commit
Anuja More (11)#
Mark test to skip sssd-2.2.0 [sssd/issue/4073] commit
ipatests: User and group with same name should not break reading AD user data. commit
ipatests: Added test when 2FA prompting configurations is set. commit
Mark xfail for sssd-version < 2.2.2 commit
ipatests: SSSD should fetch external groups without any limit. commit
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
Update topology for test_integration/test_sssd.py commit
Fix fedora version for xfail for sssd test commit
ipatests: filter_users should be applied correctly. commit
ipatests: ‘sss_ssh_authorizedkeys user’ should return ssh key commit
Extdom plugin should not return error (32)/’No such object’ commit #8044
Christian Heimes (4)#
François Cami (6)#
Florence Blanc-Renaud (22)#
ipatests: wait for SSSD to become online in backup/restore tests commit #8228
xmlrpc tests: add a test for idview-apply on a master commit #5662
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
ipatests: add test for ipa-adtrust-install –add-agents commit #7600
ipa-adtrust-install: run remote configuration for new agents commit #7600
Privilege: add a helper checking if a principal has a given privilege commit #7600
ipatests: fix TestSubCAkeyReplication commit
ipatests: fix modify_sssd_conf() commit
AD user without override receive InternalServerError with API commit #8163
trust upgrade: ensure that host is member of adtrust agents commit
smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
ipa-server-certinstall manpage: add missing options commit #8086
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
ipa user_add: do not check group if UPG is disabled commit #4972
ipatests: ensure that backup/restore restores pkcs 11 modules config file commit #8073
ipa-backup: backup the PKCS module config files setup by IPA commit #8073
Fraser Tweedale (4)#
Gaurav Talreja (1)#
Normalize test definations titles commit
Jayesh Garg (2)#
Michal Polovka (3)#
Mohammad Rizwan Yusuf (5)#
ndehadra (1)#
Rob Crittenden (10)#
Test that pwpolicy only applied on Kerberos entries commit
Add ability to change a user password as the Directory Manager commit
Don’t save password history on non-Kerberos accounts commit
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit
ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
Re-order tasks.restore_pkcs11_modules() to run earlier commit #8034
Don’t log host passwords when they are set/modified commit #8017
Don’t return SSH keys with ipa host-find –pkey-only commit #8029
Robbie Harwood (3)#
Sumit Bose (1)#
Stanislav Levin (3)#
Sergey Orlov (19)#
ipatests: provide AD admin password when trying to establish trust commit #7895
ipatests: remove test_ordering commit
ipatests: remove invalid parameter from sssd.conf commit #8219
ipatests: use remote_sssd_config to modify sssd.conf commit #8219
ipatests: replace utility for editing sssd.conf commit #8219
ipatests: update docstring to reflect changes in FileBackup.restore() commit
ipatests: add test_trust suite to nightly runs commit
ipatests: fix collection of tests from test_trust suite commit
ipatests: add test_winsyncmigrate suite to nightly runs commit
ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
ipatests: in DNS zone file add A record for name server commit
ipatests: strip newline character when getting name of temp file commit
ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit
ipatests: add tests for cached_auth_timeout in sssd.conf commit
ipatests: add new utilities for file management commit
ipatests: add utility functions related to using and managing user accounts commit
ipatests: modify run_command to allow specify successful return codes commit
Sumedh Sidhaye (2)#
Simo Sorce (1)#
Make sure to have storage space for tag commit
Serhii Tsymbaliuk (7)#
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239
WebUI tests: Fix broken reference to parent facet in table record check commit #8157
WebUI tests: Fix ‘Button is not displayed’ exception commit #8169
Fix occasional ‘whoami.data is undefined’ error in FreeIPA web UI commit #7917
WebUI: Make ‘Unlock’ option is available only on locked user page commit #5062
Tibor Dudlák (5)#
Tomas Halman (4)#
Theodor van Nahl (1)#
Fix UnboundLocalError in ipa-replica-manage on errors commit