Ctrl+K

Highlights in 4.7.5

The FreeIPA team would like to announce FreeIPA 4.7.5 release!

FreeIPA 4.7.5 is the final release in 4.7 series. No new releases will be provided for FreeIPA 4.7 as there are no distributors using the series anymore.

Two long term support release series are available:

  • FreeIPA 4.6

  • FreeIPA 4.8

Source code for the release can be downloaded from http://www.freeipa.org/page/Downloads.

Highlights in 4.7.5#

  • 5662: ID Views: do not allow custom Views for the masters

    Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.

  • 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

    FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.

  • 8233: 4.8.5 master Installation error

    On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn’t actually needed and thus was removed.

  • 8236: Enforce a check to prevent adding objects from IPA as external members of external groups

    Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.

  • 8239: Actualize Bootstrap version

    Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.7.5 is a stabilization release for the features delivered as a part of 4.7 version series.

There are more than 60 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #2018 Change hostname length limit to 64

  • #4972 check for existence of private group is done even if UPG definition is disabled

  • #5062 [WebUI] Unlock option is enabled for all user.

  • #5662 ID Views: do not allow custom Views for the masters

  • #6210 When master’s IP address does not resolve to its name, ipa-replica-install fails

  • #6843 ipa-backup does not create log file at /var/log/

  • #6951 Update samba config file and use sss idmap module

  • #7181 ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

  • #7307 RFE: Extend IPA to support unadvertised replicas

  • #7566 Installation of replica against a specific master

  • #7600 Enable compat tree to provide information about AD users and groups on trust agents

  • #7725 ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory

  • #7804 `ipa otptoken-sync` fails with stack trace

  • #7810 [F28] Require NSS with fix for p11-kit issue.

  • #7834 Fix certificate revocation tests for Web UI

  • #7870 [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”

  • #7895 ipa trust fetch-domains, server parameter ignored

  • #7908 Write tests for interactive prompt for NTP options.

  • #7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI

  • #7949 test_integration/test_nfs.py fails at cleanup

  • #7995 Removing TLSv1.0, TLSv1.1 from nss.conf

  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • #8017 host-add –password logs cleartext userpassword to Apache error log

  • #8026 Update pr-ci definitions with master_3client topology

  • #8027 test_nfs.py: migrate to master_3client

  • #8029 ipa host-find –pkey-only includes SSH keys in output

  • #8034 Existing p11-kit config file is not restored on uninstall

  • #8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors

  • #8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing

  • #8067 add default access control configuration to trusted domain objects

  • #8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install

  • #8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module

  • #8077 New pylint 2.4.0 errors

  • #8082 Default client configuration breaks ssh in FIPS mode.

  • #8084 KRA authentication fails when IPA CA has custom Subject DN

  • #8086 ipa-server-certinstall man page does not match built-in help.

  • #8099 ipa-backup command is failing on rhel-7.8

  • #8102 Pylint 2.4.3 + Astroid 2.3.2 errors

  • #8113 ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client

  • #8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb

  • #8120 Invisible part of notification area in Web UI intercepts clicks of some page elements

  • #8131 covscan memory leaks report

  • #8138 Man page ipa-cacert-manage does not display correctly on RHEL

  • #8148 add “systemctl restart sssd” to warning message when adding trust agents to replicas

  • #8151 test_commands timing-out

  • #8157 NIghtly test failure in fedora-rawhide/test_webui_network

  • #8163 “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]

  • #8164 Renewed certs are not picked up by IPA CAs

  • #8169 NIghtly test failure in fedora-rawhide/test_webui_policy

  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS

  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate

  • #8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update

  • #8213 Test failure in Travis CI: missing IPv6 loopback interface

  • #8219 ipatests: unify editing of sssd.conf

  • #8221 Secure AJP connector between Dogtag and Apache proxy

  • #8226 ipa-restore does not restart httpd

  • #8228 Nightly failure in backup/restore while calling ‘id admin’

  • #8233 4.8.5 master Installation error

  • #8236 Enforce a check to prevent adding objects from IPA as external members of external groups

  • #8239 Actualize Bootstrap version

Detailed changelog since 4.7.4#

Armando Neto (6)#

  • Travis: Enable IPv6 support for Docker commit #8213

  • prci: Bump template version commit

  • ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151

  • prci: bump template version commit

  • prci: increase timeout argument for test_sssd.py commit

  • prci: Update box used in branch ipa-4-7 commit

Alexander Bokovoy (20)#

  • ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181

  • ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181

  • ipatests: test sysaccount password change with a password policy applied commit #7181

  • ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181

  • Fix indentation levels commit

  • ipatests: always skip additional input for group-add-member –external commit #8236

  • Prevent adding IPA objects as external members of external groups commit #8236

  • Secure AJP connector between Dogtag and Apache proxy commit #8221

  • Tighten permissions on PKI proxy configuration commit #8221

  • install/updates: move external members past schema compat update commit #8193

  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131

  • covscan: free encryption types in case there is an error commit #8131

  • Become FreeIPA 4.7.4 commit

  • Do not run trust upgrade code if master lacks Samba bindings commit #8001

  • adtrust: add default read_keys permission for TDO objects commit #8067

  • add default access control when migrating trust objects commit #8067

  • ipa-extdom-extop: test timed out getgrgid_r commit #8044

  • Update sudo test as SSSD 2.2.0 is available in the test image commit

  • Restore SELinux context for p11-kit config overrides commit #7810

  • Back to git builds commit

Anuja More (11)#

  • Mark test to skip sssd-2.2.0 [sssd/issue/4073] commit

  • ipatests: User and group with same name should not break reading AD user data. commit

  • ipatests: Added test when 2FA prompting configurations is set. commit

  • Mark xfail for sssd-version < 2.2.2 commit

  • ipatests: SSSD should fetch external groups without any limit. commit

  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit

  • Update topology for test_integration/test_sssd.py commit

  • Fix fedora version for xfail for sssd test commit

  • ipatests: filter_users should be applied correctly. commit

  • ipatests: ‘sss_ssh_authorizedkeys user’ should return ssh key commit

  • Extdom plugin should not return error (32)/’No such object’ commit #8044

Christian Heimes (4)#

  • Add test case for OTP login commit #7804

  • Cherry-picked only ldapmodify_dm() commit

  • Print LDAP diagnostic messages on error commit

  • Use default ssh host key algorithms commit #8082

François Cami (6)#

  • ipa-restore: restart services at the end commit #8226

  • adtrust.py: mention restarting sssd when adding trust agents commit #8148

  • test_nfs.py: switch to master_3repl commit #8027

  • ipatests: rename config_replica_resolvconf_with_master_data() commit

  • test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data() commit #7949

  • prci_definitions: add master_3client topology commit #8026

Florence Blanc-Renaud (22)#

  • ipatests: wait for SSSD to become online in backup/restore tests commit #8228

  • xmlrpc tests: add a test for idview-apply on a master commit #5662

  • idviews: prevent applying to a master commit #5662

  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600

  • ipatests: add test for ipa-adtrust-install –add-agents commit #7600

  • ipa-adtrust-install: run remote configuration for new agents commit #7600

  • Privilege: add a helper checking if a principal has a given privilege commit #7600

  • ipatests: fix TestSubCAkeyReplication commit

  • ipatests: fix modify_sssd_conf() commit

  • ipatests: fix backup and restore commit #8170

  • AD user without override receive InternalServerError with API commit #8163

  • ipa-cacert-manage man page: fix indentation commit #8138

  • trust upgrade: ensure that host is member of adtrust agents commit

  • smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113

  • ipa-backup: fix python2 issue with os.mkdir commit #8099

  • ipa-server-certinstall manpage: add missing options commit #8086

  • ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070

  • ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972

  • ipa user_add: do not check group if UPG is disabled commit #4972

  • replica install: enforce –server arg commit #7566

  • ipatests: ensure that backup/restore restores pkcs 11 modules config file commit #8073

  • ipa-backup: backup the PKCS module config files setup by IPA commit #8073

Fraser Tweedale (4)#

  • Do not renew externally-signed CA as self-signed commit #8176

  • test_integration: add tests for custom CA subject DN commit #8084

  • upgrade: fix ipakra people entry ‘description’ attribute commit #8084

  • krainstance: set correct issuer DN in uid=ipakra entry commit #8084

Gaurav Talreja (1)#

  • Normalize test definations titles commit

Jayesh Garg (2)#

  • Test if ipactl starts services stopped by systemctl commit

  • Test for ipa-ca-install on replica commit

Michal Polovka (3)#

  • ipatests: add tests for ipa host-add with non-default maxhostnamelength commit #2018

  • ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions commit #6843, #8055

  • ipatests: Test for ipa-backup with ipa not configured commit #6843

Mohammad Rizwan Yusuf (5)#

  • Test if schema-compat-entry-attribute is set commit #8193

  • Test if schema-compat-entry-attribute is set commit #8193

  • add test to nightly yaml commit

  • Installation of replica against a specific server commit #7566

  • Check file ownership and permission for dirsrv log instance commit #7725

ndehadra (1)#

  • Hidden Replica: Add a test for Automatic CRL configuration commit #7307

Rob Crittenden (10)#

  • Test that pwpolicy only applied on Kerberos entries commit

  • Add ability to change a user password as the Directory Manager commit

  • Don’t save password history on non-Kerberos accounts commit

  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164

  • CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit

  • ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725

  • Report if a certmonger CA is missing commit #7870

  • Re-order tasks.restore_pkcs11_modules() to run earlier commit #8034

  • Don’t log host passwords when they are set/modified commit #8017

  • Don’t return SSH keys with ipa host-find –pkey-only commit #8029

Robbie Harwood (3)#

  • Fix segfault in ipadb_parse_ldap_entry() commit

  • Fix NULL pointer dereference in maybe_require_preauth() commit

  • Log INFO message when LDAP connection fails on startup commit

Sumit Bose (1)#

  • extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT commit #8044

Stanislav Levin (3)#

  • pki-proxy: Don’t rely on running apache until it’s configured commit #8233

  • Fix errors found by Pylint-2.4.3 commit #8102

  • Fixed errors newly exposed by pylint 2.4.0 commit #8077

Sergey Orlov (19)#

  • ipatests: provide AD admin password when trying to establish trust commit #7895

  • ipatests: remove test_ordering commit

  • ipatests: remove invalid parameter from sssd.conf commit #8219

  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219

  • ipatests: replace utility for editing sssd.conf commit #8219

  • ipatests: update docstring to reflect changes in FileBackup.restore() commit

  • ipatests: add test_trust suite to nightly runs commit

  • ipatests: fix collection of tests from test_trust suite commit

  • ipatests: add test_winsyncmigrate suite to nightly runs commit

  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951

  • ipatests: refactor FileBackup helper commit #8115

  • ipatests: in DNS zone file add A record for name server commit

  • ipatests: strip newline character when getting name of temp file commit

  • ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995

  • ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit

  • ipatests: add tests for cached_auth_timeout in sssd.conf commit

  • ipatests: add new utilities for file management commit

  • ipatests: add utility functions related to using and managing user accounts commit

  • ipatests: modify run_command to allow specify successful return codes commit

Sumedh Sidhaye (2)#

  • Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029

  • Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit

Simo Sorce (1)#

  • Make sure to have storage space for tag commit

Serhii Tsymbaliuk (7)#

  • Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239

  • WebUI tests: Fix broken reference to parent facet in table record check commit #8157

  • WebUI tests: Fix ‘Button is not displayed’ exception commit #8169

  • Fix occasional ‘whoami.data is undefined’ error in FreeIPA web UI commit #7917

  • Fix certificate revocation tests for Web UI commit #7834

  • WebUI: Fix notification area layout commit #8120

  • WebUI: Make ‘Unlock’ option is available only on locked user page commit #5062

Tibor Dudlák (5)#

  • Add container environment check to replicainstall commit #6210

  • Increase ntp_options test timeout commit

  • ipatests: refactor TestNTPoptions commit

  • ipatests: Add tests for interactive chronyd config commit #7908

  • ipatests: Update test tasks for client to be interactive commit #7908

Tomas Halman (4)#

  • extdom: add extdom protocol documentation commit

  • extdom: use sss_nss_*_timeout calls commit

  • extdom: plugin doesn’t use timeout in blocking call commit

  • extdom: plugin doesn’t allow @ in group name commit

Theodor van Nahl (1)#

  • Fix UnboundLocalError in ipa-replica-manage on errors commit

Contents