The FreeIPA team would like to announce FreeIPA 4.8.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 will be available in the official Fedora repository soon.
Highlights in 4.8.1#
5608: [RFE] Add Dogtag configuration extensions
It is now possible to tune Dogtag configuration when creating a CA by passing an overlay configuration file with –pki-config-override option. Not all options are supported yet and documentation is being worked on.
Release tarball corrections
FreeIPA 4.8.0 release tarball did lack two update files. This release adds them back. The files existed in git but weren’t installed when building distribution packages.
8040: ipa migrade-ds regression
FreeIPA 4.8.0 tightened access to LDAP connections to disallow passing plainttext credentials over an insecure connection. This broke ‘ipa migrate-ds’ functionality where in order to migrate to FreeIPA one often needs to connect to a legacy LDAP server which might not be using TLS certificates.
FreeIPA 4.8.1 restores ability to use insecure LDAP connections in ‘ipa migrate-ds’ for migration purposes only.
Enhancements#
7932 and 7933: index certmap attributes and allow altSecurityIdentities in schema
For certificate mapping operations it is possible to specify altSecurityIdentities in the certification mapping filters. The filter is applied by SSSD at both FreeIPA and Active Directory LDAP servers. While nothing is using altSecurityIdentities in FreeIPA now, the schema allows to optimize queries better at LDAP server side. Additionally, other certificate mapping attributes are now indexed to allow faster operations for environments with a large set of mapping rules.
7991: Profile-based renewal of system certificates
FreeIPA-specific certificates tracked by certmonger can now be renewed with preservation of a certificate profile used to issue them. It is also possible to change the certificate profile during update. This is required to allow updating certain profile-specific attributes of the system certificates in future.
Known Issues#
Bug fixes#
FreeIPA 4.8.1 is a stabilization release for the features delivered as a part of FreeIPA 4.8 series. There are more than 30 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
5608 [RFE] Add Dogtag configuration extensions
7305 PKINIT status not displayed in the web UI (IPA Server > Configuration)
7329 update_ra_cert_store does not remove private key from NSSDB
7548 Need integration test for –external-ca-type=ms-cs
7597 IPA: IDM drops all custom attributes when moving account from preserved to stage
7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
7810 [F28] Require NSS with fix for p11-kit issue.
7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
7908 Write tests for interactive prompt for NTP options.
7929 ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled
7932 FreeIPA queries rely on missing attribute altsecurityidentities
7933 FreeIPA must index certmap attributes.
7949 test_integration/test_nfs.py fails at cleanup
7991 Use profile-based renewal for system certificates
7996 `test_selinuxusermap_plugin` fails against not default SELinux settings
8004 RHEL 8 uses nis-domainname instead of rhel-domainname
8005 User field separator uses ‘$$’ within ipaSELinuxUserMapOrder
8007 Not stable nodeids within pytest
8008 Azure Pipeline slicing
8009 Missing execution bit on `ipa-run-tests` within virtualenv
8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure
8013 ipa service-find does not list cifs service created by ipa-client-samba
8015 p11helper: insufficient logging when loading LIBSOFTHSM2_SO
8019 repeated uninstallation of ipa-client-samba crashes
8021 ipa-client-samba can not install samba after uninstallation
8022 azure pipeline: fail if dnf builddep exits on failure
8024 [WebUI] test_webui/test_trust.py failed because of request timeout
8026 Update pr-ci definitions with master_3client topology
8027 test_nfs.py: migrate to master_3client
8029 ipa host-find –pkey-only includes SSH keys in output
8030 azure pipelines fail at “Install prerequisites” of Tox job
8040 ipa migrate-ds fails with internal error.
Detailed changelog since 4.8.0#
Armando Neto (1)#
travis: update container used for testing ipa-4-8 branch
Alexander Bokovoy (14)#
Update translation and code contributors for FreeIPA 4.8.1
Switch ipa-4-8 branch to track Zanata ipa-4-8 branch
Update translations for FreeIPA 4.8 branch
Add Theodor van Nahl to the Contributors.txt
Update translations for FreeIPA 4.8.1
Restore SELinux context for p11-kit config overrides
Change RA agent certificate profile to caSubsystemCert
certmaprule: add negative test for altSecurityIdentities
certmap rules: altSecurityIdentities should only be used for trusted domains
Create indexes for altSecurityIdentities and ipaCertmapData attributes
Add altSecurityIdentities attribute from MS-WSPP schema definition
Use stage and phase attempt counters when saving test artifacts
Use any nodejs version instead of forcing a version before nodejs 11
Fix rpmlint errors for Rawhide
Christian Heimes (6)#
Allow insecure binds for migration
Don’t move keys when key backup is disabled
Update comments to explain caSubsystemCert switch
Test external CA with DNS name constraints
Add PKCS#11 module name to p11helper errors
Use nis-domainname.service on all RH platforms
François Cami (11)#
azure-pipelines.yml: switch to Python 3.7
test_nfs.py: switch to master_3repl
ipatests: rename config_replica_resolvconf_with_master_data()
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data()
prci_definitions: add master_3client topology
ipapython/admintool.py: use SERVER_NOT_CONFIGURED
ipa-client-samba: remove state on uninstall
ipatests: test ipa-client-samba after –uninstall
ipa-client-samba: remove and restore smb.conf only on first uninstall
ipatests: test multiple invocations of ipa-client-samba –uninstall
ipatests/azure: display actual dnf repo URLs
Florence Blanc-Renaud (6)#
Nightly test definition: add missing tests
xmlrpc test: add test for preserved > stage user
user-stage: transfer all attributes from preserved to stage user
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules
Azure pipeline: report failure in prepare-build step
upgrade: remove ipaCert and key from /etc/httpd/alias
Fraser Tweedale (20)#
Add more tests for –external-ca-profile handling
dsinstance: add proflie when tracking certificate
ipatests: test ipa-server-upgrade in CA-less deployment
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
cainstance: add profile to IPA RA tracking request
upgrade: fix spurious certmonger re-tracking
upgrade: log missing/misconfigured tracking requests
upgrade: update KRA tracking requests
upgrade: always add profile to tracking requests
dogtaginstance: avoid special cases for Server-Cert
dogtag-ipa-ca-renew-agent: always use profile-based renewal
certmonger: use long options when invoking dogtag-ipa-renew-agent
upgrade: add profile to Dogtag tracking requests
dogtaginstance: add profile to tracking requests
ci: add –external-ca-profile tests to gating
ci: add –external-ca-profile tests to nightly
Collapse –external-ca-profile tests into single class
Fix use of incorrect variable
install: fix –external-ca-profile option
move MSCSTemplate classes to ipalib
Christian Hermann (1)#
configure.ac: don’t rely on bashisms
Rob Crittenden (3)#
Don’t return SSH keys with ipa host-find –pkey-only
httpinstance: add pinfile when tracking certificate
Remove posixAccount from service_find search filter
Stanislav Levin (4)#
Avoid use of ‘/tmp’ for pip operations
Make use of Azure Pipeline slicing
Simplify ipa-run-tests script
Fix `test_webui.test_selinuxusermap`
Sergey Orlov (3)#
ipatests: new test for trust with partially unreachable AD topology
ipatests: mark test_domain_resolution_order as expectedly failing
ipatests: add test for sudo with runAsUser and domain resolution order.
Sumedh Sidhaye (2)#
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf
Test: To check ipa replica-manage del does not fail
Serhii Tsymbaliuk (3)#
WebUI tests: Fix request timeout for test_trust
WebUI: Add PKINIT status field to ‘Configuration’ page
WebUI tests: Fix timeout issues for reset password tests
Tibor Dudlák (4)#
Increase ntp_options test timeout
ipatests: refactor TestNTPoptions
ipatests: Add tests for interactive chronyd config
ipatests: Update test tasks for client to be interactive
Timo Aaltonen (1)#
install: Add missing scripts to app_DATA.
Theodor van Nahl (1)#
Fix UnboundLocalError in ipa-replica-manage on errors