The FreeIPA team would like to announce FreeIPA 4.8.5 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30-32 versions will be available soon.
Highlights in 4.8.5#
#8214 openDNSSEC 2.1 support
#8221 AJP connector protection for Dogtag/FreeIPA communication for CVE-2020-1938 mitigation. Fedora and RHEL do not force encrypted AJP connector by default with 9.0.31 but FreeIPA 4.8.5 will convert to encrypted AJP channel on upgrade or at a new deployment. Use of AJP is limited to localhost connections with integrated CA already.
Default authentication indicators are now documented in FreeIPA workshop, freeipa/freeipa-workshop
#6891 FreeIPA SELinux policy is now part of the upstream packaging and replaces distribution-wide policies.
New internal mechanism to promote Trust Agents in ipa-adtrust-install, to allow configuring schema compatibility plugin on remote replicas.
#8124 New “ipa-cacert-manage delete” command to allow pruning a CA certificate from LDAP store
Enhancements#
Backup / restore tools now check whether packages for various optional IPA master features installed before restore
IPA CLI commands for DNS operations display additional attributes and handle optional parameters when a record is removed
Additional checks for external CA certificate properties during installation
Minor content improvements in ipa-client-samba’s tool output
Preliminary support for building with MIT Kerberos 1.18
Increased test coverage in upstream test suite
Ability to test multi-host scenarios in upstream CI using Azure Pipelines
Known Issues#
Bug fixes#
FreeIPA 4.8.5 is a stabilization release for the features delivered as a part of 4.8.0 release series.
There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#6891 Move FreeIPA SELinux policy from system policy to project policy
#7522 Disable cert publishing in dogtag
#7537 PR-CI: external_ca tests are hitting timeout
#7600 Enable compat tree to provide information about AD users and groups on trust agents
#7630 ipa-restore should check that optional feature packages are installed before restoring a backup using a feature
#7744 ipa-replica-install picks wrong replica for CA initial replication
#7830 FreeIPA installation fails with 389-DS 1.4.0.20-1
#7856 Nightly test failure in test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
#7861 Make IPADiscovery available in PyPI packages
#7909 Wrong evaluation of replication update status
#7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI
#7938 ‘ipa dnszone-show/find’ should display “Dynamic Update” and “Bind update policy” by default
#7941 ipapython/dn_ctypes.py: libldap_r shared library missing
#7942 WebUI test for automount is broken
#7948 [FIPS] Use 3DES for certificate encryption when creating a PKCS#12
#7953 ipa-pwd-extop: do not remove MagicRegen mod, replace it
#7965 Stop using 389-ds legacy tools for backup and restore
#7974 Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions
#7984 make sure ‘make fastlint’ processes Python .in files
#7987 Python shebang: Use isolated mode
#7989 Pytest4.2+ errors
#7990 Assumptions about systemd name of `named`
#7998 Use system-wide crypto policy in TLS client
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8004 RHEL 8 uses nis-domainname instead of rhel-domainname
#8029 ipa host-find –pkey-only includes SSH keys in output
#8079 [Security] By default, DNS recursion is open, breaking best practices
#8098 Host principals lack ACI to look up DNS objects in LDAP
#8105 getcert with -F option returns before cacert file is created
#8110 Enable AES SHA 256 and 384 Kerberos enctypes
#8116 Pylint parallel execution with custom plugin
#8124 Add option to ipa-cacert-manage to delete certificates
#8135 When Service weight is set as 0 for server in IPA location “IPA Error 903: InternalError” is displayed
#8142 check Not Before / Not After in externally signed CA sanity check
#8149 SIDs of AD domains do not display in ipa-client-samba installer
#8150 IPA Server install fail
#8151 test_commands timing-out
#8153 Kerberos ticket policy reset does not reset per-indicator policies
#8157 NIghtly test failure in fedora-rawhide/test_webui_network
#8163 “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 Renewed certs are not picked up by IPA CAs
#8169 NIghtly test failure in fedora-rawhide/test_webui_policy
#8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
#8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package
#8176 External CA is tracked for renewals and replaced with a self-signed certificate
#8179 Tests broken with python version < 3.7 (module ‘re’ has no attribute ‘Pattern’)
#8190 ipa-client-automount fails after repeated installation/uninstallation
#8192 ipa-adtrust-install does not list service records for manual addition to DNS zone
#8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update
#8196 API: dnsrecord_del failure with empty list aaaarecord
#8200 ipa krb5kdc db: krb5kdc coredump
#8201 update ssbrowser.html
#8202 Azure: add support for multi-container tests
#8214 Support for opendnssec 2.1.6
#8219 ipatests: unify editing of sssd.conf
#8221 Secure AJP connector between Dogtag and Apache proxy
#8226 ipa-restore does not restart httpd
Detailed changelog since 4.8.4#
Armando Neto (4)#
Alexander Bokovoy (11)#
Become FreeIPA 4.8.5 commit
Add new contributors to the list commit
Add more contributor emails to the mailmap commit
Secure AJP connector between Dogtag and Apache proxy commit #8221
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit
kdb: make sure audit_as_req callback signature change is preserved commit #8200
adtrust: print DNS records for external DNS case after role is enabled commit #8192
Update Azure Pipelines to use Fedora 31 commit
install/updates: move external members past schema compat update commit #8193
Anuja More (11)#
Mark test to skip sssd-2.2.2 commit
ipatests: User and group with same name should not break reading AD user data. commit
ipatests: Added test when 2FA prompting configurations is set. commit
ipatests: SSSD should fetch external groups without any limit. commit
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
Update topology for test_integration/test_sssd.py commit
After mounting “Unspecified GSS failure” should not be in logs. commit
Add xmlrpc test with input validation check for kerberos ticket policy. commit
Fix fedora version for xfail for sssd test commit
Add integration test for otp kerberos ticket policy. commit #8001
ipatests: filter_users should be applied correctly. commit
Christian Heimes (7)#
Dinesh Prasanth M K (1)#
Adding auto COPR builds commit
François Cami (5)#
ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190
ipa-client-automount: call save_domain() for each change commit #8190
ipatests: expect “Dynamic Update” and “Bind update policy” in default dnszone* output commit #7938
ipaserver/plugins/dns.py: add “Dynamic Update” and “Bind update policy” to default dnszone* output commit #7938
Florence Blanc-Renaud (16)#
opendnssec2.1 support: move all ods tasks to specific file commit #8214
DnsSecMaster migration: move the call to zonelist export later commit #8214
Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214
With opendnssec 2, read the zone list from file commit #8214
selinux policy: add the right context for org.freeipa.server.trust-enable-agent commit #7600
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
ipatests: fix TestSubCAkeyReplication commit
ipatests: add test for ipa-adtrust-install –add-agents commit #7600
ipa-adtrust-install: run remote configuration for new agents commit #7600
Privilege: add a helper checking if a principal has a given privilege commit #7600
Part2: Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
ipatests: fix modify_sssd_conf() commit
AD user without override receive InternalServerError with API commit #8163
Fraser Tweedale (4)#
Gaurav Talreja (1)#
Normalize test definations titles commit
Isaac Boukris (2)#
Jayesh (3)#
Kaleemullah Siddiqui (1)#
Mohammad Rizwan Yusuf (6)#
Rob Crittenden (7)#
Move execution of ipa-healthcheck to a separate function commit
Fix div-by-zero when svc weight is 0 for all masters in location commit #8135
Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
ipa-certupdate removes all CA certs from db before adding new ones commit #8124
Add delete option to ipa-cacert-manage to remove CA certificates commit #8124
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
Robbie Harwood (6)#
Stanislav Levin (24)#
spec: Take the ownership over ‘/usr/libexec/ipa/custodia’ commit
Azure: Report elapsed time commit
Azure: Rebalance tests commit
Azure: Skip tests requiring external DNS commit
Azure: Free Docker resources after usage commit
Azure: Preliminary check for provided limits commit
Azure: Sync Gating definitions to current PR-CI commit
Azure: Add support for testing multi IPA environments commit #8202
Azure: Make it possible to configure distro-specific stuff commit #8202
Azure: Allow to not provide tests to be ignored commit #8202
pylint: Synchronize pylint plugin to ipatests code commit #8116
pylint: Teach Pylint how to handle request.context commit #8116
pytest: Migrate unittest/nose to Pytest fixtures commit #7989
pytest: Migrate xunit-style setups to Pytest fixtures commit #7989
Sergey Orlov (9)#
ipatests: add test for SSSD updating expired cache items commit
ipatests: provide docstrings instead of imporperly placed comments commit
ipatests: remove invalid parameter from sssd.conf commit #8219
ipatests: use remote_sssd_config to modify sssd.conf commit #8219
ipatests: replace utility for editing sssd.conf commit #8219
ipatests: update docstring to reflect changes in FileBackup.restore() commit
ipatests: add test_trust suite to nightly runs commit
ipatests: add check for output contents of ipa-client-samba commit #8149
ipatests: add test_winsyncmigrate suite to nightly runs commit