The FreeIPA team would like to announce FreeIPA 4.8.5 release!

It can be downloaded from Builds for Fedora 30-32 versions will be available soon.

Highlights in 4.8.5#

  • #8214 openDNSSEC 2.1 support

  • #8221 AJP connector protection for Dogtag/FreeIPA communication for CVE-2020-1938 mitigation. Fedora and RHEL do not force encrypted AJP connector by default with 9.0.31 but FreeIPA 4.8.5 will convert to encrypted AJP channel on upgrade or at a new deployment. Use of AJP is limited to localhost connections with integrated CA already.

  • Default authentication indicators are now documented in FreeIPA workshop, freeipa/freeipa-workshop

  • #6891 FreeIPA SELinux policy is now part of the upstream packaging and replaces distribution-wide policies.

  • New internal mechanism to promote Trust Agents in ipa-adtrust-install, to allow configuring schema compatibility plugin on remote replicas.

  • #8124 New “ipa-cacert-manage delete” command to allow pruning a CA certificate from LDAP store


  • Backup / restore tools now check whether packages for various optional IPA master features installed before restore

  • IPA CLI commands for DNS operations display additional attributes and handle optional parameters when a record is removed

  • Additional checks for external CA certificate properties during installation

  • Minor content improvements in ipa-client-samba’s tool output

  • Preliminary support for building with MIT Kerberos 1.18

  • Increased test coverage in upstream test suite

  • Ability to test multi-host scenarios in upstream CI using Azure Pipelines

Known Issues#

Bug fixes#

FreeIPA 4.8.5 is a stabilization release for the features delivered as a part of 4.8.0 release series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • #6891 Move FreeIPA SELinux policy from system policy to project policy

  • #7522 Disable cert publishing in dogtag

  • #7537 PR-CI: external_ca tests are hitting timeout

  • #7600 Enable compat tree to provide information about AD users and groups on trust agents

  • #7630 ipa-restore should check that optional feature packages are installed before restoring a backup using a feature

  • #7744 ipa-replica-install picks wrong replica for CA initial replication

  • #7830 FreeIPA installation fails with 389-DS

  • #7856 Nightly test failure in

  • #7861 Make IPADiscovery available in PyPI packages

  • #7909 Wrong evaluation of replication update status

  • #7917 Occasional ‘ is undefined’ error in FreeIPA web UI

  • #7938 ‘ipa dnszone-show/find’ should display “Dynamic Update” and “Bind update policy” by default

  • #7941 ipapython/ libldap_r shared library missing

  • #7942 WebUI test for automount is broken

  • #7948 [FIPS] Use 3DES for certificate encryption when creating a PKCS#12

  • #7953 ipa-pwd-extop: do not remove MagicRegen mod, replace it

  • #7965 Stop using 389-ds legacy tools for backup and restore

  • #7974 Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions

  • #7984 make sure ‘make fastlint’ processes Python .in files

  • #7987 Python shebang: Use isolated mode

  • #7989 Pytest4.2+ errors

  • #7990 Assumptions about systemd name of `named`

  • #7998 Use system-wide crypto policy in TLS client

  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • #8004 RHEL 8 uses nis-domainname instead of rhel-domainname

  • #8029 ipa host-find –pkey-only includes SSH keys in output

  • #8079 [Security] By default, DNS recursion is open, breaking best practices

  • #8098 Host principals lack ACI to look up DNS objects in LDAP

  • #8105 getcert with -F option returns before cacert file is created

  • #8110 Enable AES SHA 256 and 384 Kerberos enctypes

  • #8116 Pylint parallel execution with custom plugin

  • #8124 Add option to ipa-cacert-manage to delete certificates

  • #8135 When Service weight is set as 0 for server in IPA location “IPA Error 903: InternalError” is displayed

  • #8142 check Not Before / Not After in externally signed CA sanity check

  • #8149 SIDs of AD domains do not display in ipa-client-samba installer

  • #8150 IPA Server install fail

  • #8151 test_commands timing-out

  • #8153 Kerberos ticket policy reset does not reset per-indicator policies

  • #8157 NIghtly test failure in fedora-rawhide/test_webui_network

  • #8163 “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]

  • #8164 Renewed certs are not picked up by IPA CAs

  • #8169 NIghtly test failure in fedora-rawhide/test_webui_policy

  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS

  • #8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package

  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate

  • #8179 Tests broken with python version < 3.7 (module ‘re’ has no attribute ‘Pattern’)

  • #8190 ipa-client-automount fails after repeated installation/uninstallation

  • #8192 ipa-adtrust-install does not list service records for manual addition to DNS zone

  • #8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update

  • #8196 API: dnsrecord_del failure with empty list aaaarecord

  • #8200 ipa krb5kdc db: krb5kdc coredump

  • #8201 update ssbrowser.html

  • #8202 Azure: add support for multi-container tests

  • #8214 Support for opendnssec 2.1.6

  • #8219 ipatests: unify editing of sssd.conf

  • #8221 Secure AJP connector between Dogtag and Apache proxy

  • #8226 ipa-restore does not restart httpd

Detailed changelog since 4.8.4#

Armando Neto (4)#

  • prci: update fedora used for testing ipa-4-8 commit

  • prci: Bump template version commit

  • ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151

  • ipatests: Improve test_commands reliability commit

Alexander Bokovoy (11)#

  • Become FreeIPA 4.8.5 commit

  • Add new contributors to the list commit

  • Add more contributor emails to the mailmap commit

  • Secure AJP connector between Dogtag and Apache proxy commit #8221

  • Tighten permissions on PKI proxy configuration commit #8221

  • Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit

  • kdb: make sure audit_as_req callback signature change is preserved commit #8200

  • adtrust: print DNS records for external DNS case after role is enabled commit #8192

  • Update Azure Pipelines to use Fedora 31 commit

  • install/updates: move external members past schema compat update commit #8193

  • Reset per-indicator Kerberos policy commit #8153

Anuja More (11)#

  • Mark test to skip sssd-2.2.2 commit

  • ipatests: User and group with same name should not break reading AD user data. commit

  • ipatests: Added test when 2FA prompting configurations is set. commit

  • ipatests: SSSD should fetch external groups without any limit. commit

  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit

  • Update topology for test_integration/ commit

  • After mounting “Unspecified GSS failure” should not be in logs. commit

  • Add xmlrpc test with input validation check for kerberos ticket policy. commit

  • Fix fedora version for xfail for sssd test commit

  • Add integration test for otp kerberos ticket policy. commit #8001

  • ipatests: filter_users should be applied correctly. commit

Christian Heimes (7)#

  • Allow hosts to read DNS records for IP SAN commit #8098

  • Cleanup SELinux policy commit #6891

  • Integrate SELinux policy into build system commit

  • dnsrecord: Treat empty list arguments correctly commit #8196

  • Remove dependency on custodia package commit

  • Make assert_error compatible with Python 3.6 commit #8179

  • Print LDAP diagnostic messages on error commit

Dinesh Prasanth M K (1)#

  • Adding auto COPR builds commit

François Cami (5)#

  • ipa-restore: restart services at the end commit #8226

  • ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190

  • ipa-client-automount: call save_domain() for each change commit #8190

  • ipatests: expect “Dynamic Update” and “Bind update policy” in default dnszone* output commit #7938

  • ipaserver/plugins/ add “Dynamic Update” and “Bind update policy” to default dnszone* output commit #7938

Florence Blanc-Renaud (16)#

  • opendnssec2.1 support: move all ods tasks to specific file commit #8214

  • DnsSecMaster migration: move the call to zonelist export later commit #8214

  • Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214

  • With opendnssec 2, read the zone list from file commit #8214

  • Remove the from opendnssec conf commit #8214

  • Support opendnssec 2.1.6 commit #8214

  • selinux policy: add the right context for commit #7600

  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600

  • ipatests: fix TestSubCAkeyReplication commit

  • ipatests: add test for ipa-adtrust-install –add-agents commit #7600

  • ipa-adtrust-install: run remote configuration for new agents commit #7600

  • Privilege: add a helper checking if a principal has a given privilege commit #7600

  • Part2: Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201

  • ipatests: fix modify_sssd_conf() commit

  • ipatests: fix backup and restore commit #8170

  • AD user without override receive InternalServerError with API commit #8163

Fraser Tweedale (4)#

  • Do not renew externally-signed CA as self-signed commit #8176

  • ipatests: add test for certinstall with notBefore in the future commit #8142

  • Fix test regressions caused by certificate validation changes commit #8142

  • ipatests: assert_error: allow regexp match commit #8142

Gaurav Talreja (1)#

  • Normalize test definations titles commit

Isaac Boukris (2)#

  • Fix legacy S4U2Proxy in DAL v8 support commit

  • Fix DAL v8 support commit

Jayesh (3)#

  • Test for ipa-ca-install on replica commit

  • Test ipa-getkeytab quiet mode, encryptons commit

  • Test if ipactl starts services stopped by systemctl commit

Kaleemullah Siddiqui (1)#

  • Tests for backup-restore when pkg required is missing commit #7630

Mohammad Rizwan Yusuf (6)#

  • Test if getcert creates cacert file with -F option commit #8105

  • Move wait_for_request() method to commit

  • Test if server installer lock Bind9 recursion commit #8079

  • Add certmonger wait_for_request that uses run_command commit

  • Test if certmonger reads the token in HSM commit

  • Test AES SHA 256 and 384 Kerberos enctypes enabled commit #8110

Rob Crittenden (7)#

  • Move execution of ipa-healthcheck to a separate function commit

  • Fix div-by-zero when svc weight is 0 for all masters in location commit #8135

  • Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201

  • Add tests for ipa-cacert-manage delete command commit #8124

  • ipa-certupdate removes all CA certs from db before adding new ones commit #8124

  • Add delete option to ipa-cacert-manage to remove CA certificates commit #8124

  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164

Robbie Harwood (6)#

  • Drop support for DAL version 5.0 commit

  • Support DAL version 8.0 commit

  • Handle the removal of KRB5_KDB_FLAG_ALIAS_OK commit

  • Fix several leaks in ipadb_find_principal commit

  • Use separate variable for client fetch in kdcpolicy commit

  • Make the coding style explicit commit

Stanislav Levin (24)#

  • spec: Take the ownership over ‘/usr/libexec/ipa/custodia’ commit

  • Azure: Report elapsed time commit

  • Azure: Rebalance tests commit

  • Azure: Skip tests requiring external DNS commit

  • Azure: Free Docker resources after usage commit

  • Azure: Preliminary check for provided limits commit

  • Azure: Sync Gating definitions to current PR-CI commit

  • pylint: Run Pylint over Azure Python scripts commit #8202

  • Azure: Add support for testing multi IPA environments commit #8202

  • Azure: Don’t collect twice systemd_journal.log commit #8202

  • yamllint: Lint all the YAML files commit #8202

  • Azure: Make it possible to configure distro-specific stuff commit #8202

  • Azure: Allow to run integration tests commit #8202

  • Azure: Allow SSH for Docker environments commit #8202

  • Azure: Allow to not provide tests to be ignored commit #8202

  • ipatests: Allow zero-length arguments commit #8173

  • lint: Make Pylint-2.4 happy again commit #8116

  • pylint: Clean up comment commit #8116

  • pylint: Synchronize pylint plugin to ipatests code commit #8116

  • pylint: Teach Pylint how to handle request.context commit #8116

  • ipatests: Properly kill gpg-agent commit #7989

  • pytest: Warn about unittest/nose/xunit tests commit #7989

  • pytest: Migrate unittest/nose to Pytest fixtures commit #7989

  • pytest: Migrate xunit-style setups to Pytest fixtures commit #7989

Sergey Orlov (9)#

  • ipatests: add test for SSSD updating expired cache items commit

  • ipatests: provide docstrings instead of imporperly placed comments commit

  • ipatests: remove invalid parameter from sssd.conf commit #8219

  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219

  • ipatests: replace utility for editing sssd.conf commit #8219

  • ipatests: update docstring to reflect changes in FileBackup.restore() commit

  • ipatests: add test_trust suite to nightly runs commit

  • ipatests: add check for output contents of ipa-client-samba commit #8149

  • ipatests: add test_winsyncmigrate suite to nightly runs commit

Sumedh Sidhaye (1)#

  • Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029

Serhii Tsymbaliuk (2)#

  • WebUI tests: Fix broken reference to parent facet in table record check commit #8157

  • WebUI tests: Fix ‘Button is not displayed’ exception commit #8169

sumenon (3)#

  • ipatests: check that ipa-healthcheck warns if no dna range is set commit

  • Nightly definition for ipa-healthcheck tool commit

  • Tier-1 test for ipa-healthcheck tool commit

Thomas Woerner (2)#

  • ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels commit

  • DNS install check: Fix overlapping DNS zone from the master itself commit #8150

Vit Mojzis (3)#

  • selinux: Remove obsolete memcached access commit

  • selinux: move BUILD_SELINUX_POLICY definition commit

  • Add freeipa-selinux subpackage commit