The FreeIPA team would like to announce FreeIPA 4.8.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 and 31 will be available in the official repositories.

Highlights in 4.8.4#

FreeIPA 4.8.4 uses system-provided crypto policy on Fedora and RHEL-based distributions. It enables TLS 1.3 support in its HTTPS end-points.

A support to manage list of group managers has been added to both IPA CLI and Web UI. A group now can have a list of group managers who are allowed to add and remove group members. This allows for a more complex per-group permission granting.

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.8.4 is a stabilization release for the features delivered as a part of 4.8.0 series.

There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #6951 Update samba config file and use sss idmap module

  • #7323 IPv6 hack for Travis CI

  • #7804 `ipa otptoken-sync` fails with stack trace

  • #7958 traceback in idview

  • #7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown

  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • #8082 Default client configuration breaks ssh in FIPS mode.

  • #8104 RFE: Disable Stale/Inactive Users - Upstream Design Document

  • #8118 Run smoke tests in FIPS mode

  • #8120 Invisible part of notification area in Web UI intercepts clicks of some page elements

  • #8122 group-add-member-manager does not report errors

  • #8123 [WebUI] Finish group membership management UI

  • #8125 Use default crypto policy for TLS and enable TLS 1.3 support

  • #8129 Tests: Replace paramiko with OpenSSH

  • #8131 covscan memory leaks report

  • #8133 check_client_configuration() no longer works with IPA_CONFDIR

  • #8134 ipa user-add is inefficient

  • #8137 reinstall failed in adding delegation layout

  • #8138 Man page ipa-cacert-manage does not display correctly on RHEL

  • #8142 check Not Before / Not After in externally signed CA sanity check

  • #8143 service.ldap_disable() does not remove “enabledService”

  • #8144 test_nfs.py: umount.nfs4: /home: device is busy

  • #8148 add “systemctl restart sssd” to warning message when adding trust agents to replicas

  • #8149 SIDs of AD domains do not display in ipa-client-samba installer

Detailed changelog since 4.8.2#

Armando Neto (1)#

Alexander Bokovoy (8)#

  • ipa-client-samba: map domain sid of trust domain properly for display commit #8149

  • DNS install check: allow overlapping zone to be from the master itself commit

  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131

  • covscan: free encryption types in case there is an error commit #8131

  • Become FreeIPA 4.8.3 commit

  • Add Authentication Indicator Kerberos ticket policy options commit #8001

  • Allow presence of LDAP attribute options commit #8001

  • Do not run trust upgrade code if master lacks Samba bindings commit #8001

Anuja More (1)#

  • ipatests : Login via ssh using private-key for ipa-user should work. commit

Christian Heimes (18)#

Cédric Jeanneret (1)#

  • Update selinux-policy minimal requirement commit

François Cami (4)#

  • ipatests: fix pr-ci templates’ indentation commit

  • ipatests/test_nfs.py: wait before umount commit #8144

  • adtrust.py: mention restarting sssd when adding trust agents commit #8148

  • DSU: add Design for Disable Stale Users commit #8104

Florence Blanc-Renaud (7)#

  • ipa-cacert-manage man page: fix indentation commit #8138

  • ipatests: fix TestMigrateDNSSECMaster teardown commit #7985

  • trust upgrade: ensure that host is member of adtrust agents commit

  • ipatests: fix test_crlgen_manage commit

  • ipatests: fix teardown commit

  • ipatests: generic uninstall should call ipa server-del commit #7985

  • Nightly definition: use right template for krbtpolicy commit #8001

MIZUTA Takeshi (1)#

  • Add config that maintains existing content to ipa-client-install manpage commit

Rob Crittenden (2)#

  • CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit

  • Add integration test for Kerberos ticket policy commit #8001

Sumit Bose (1)#

  • ipa-kdb: Remove keys if password auth is disabled commit #8001

Sergey Orlov (1)#

  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951

Simo Sorce (1)#

  • Make sure to have storage space for tag commit

Serhii Tsymbaliuk (2)#

  • WebUI: Fix notification area layout commit #8120

  • WebUI: Fix adding member manager for groups and host groups commit #8123

Timo Aaltonen (1)#

  • Debian: Fix font-awesome path. commit

Thomas Woerner (2)#

  • Enable TestInstallMasterDNSRepeatedly in prci_definitions commit

  • Test repeated installation of the primary with DNS enabled and domain set commit