Ctrl+K

Highlights in 4.8.6

The FreeIPA team would like to announce FreeIPA 4.8.6 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.6#

  • 5662: ID Views: do not allow custom Views for the masters

    Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.

  • 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

    FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.

  • 8233: 4.8.5 master Installation error

    On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn’t actually needed and thus was removed.

  • 8236: Enforce a check to prevent adding objects from IPA as external members of external groups

    Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.

  • 8239: Actualize Bootstrap version

    Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.

  • 8241: Build fails on Fedora 30

    SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions.

Enhancements#

Known Issues#

  • 8240: KRA install fails if all KRA members are Hidden Replicas

    If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.

Bug fixes#

FreeIPA 4.8.6 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #5662 ID Views: do not allow custom Views for the masters

  • #6891 Move FreeIPA SELinux policy from system policy to project policy

  • #7181 ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

  • #7895 ipa trust fetch-domains, server parameter ignored

  • #8159 please migrate to the new Fedora translation platform

  • #8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update

  • #8228 Nightly failure in backup/restore while calling ‘id admin’

  • #8233 4.8.5 master Installation error

  • #8236 Enforce a check to prevent adding objects from IPA as external members of external groups

  • #8239 Actualize Bootstrap version

  • #8240 KRA install fails if all KRA members are Hidden Replicas

  • #8241 Build fails on Fedora 30

Detailed changelog since 4.8.5#

Alexander Bokovoy (35)#

  • Become FreeIPA 4.8.6 commit

  • ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181

  • ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181

  • ipatests: test sysaccount password change with a password policy applied commit #7181

  • ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181

  • Fix indentation levels commit

  • ipatests: always skip additional input for group-add-member –external commit #8236

  • po: update Chinese (China) translation commit

  • po: update Ukrainian translation commit

  • po: update Tajik translation timestamp commit

  • po: update Slovak translation timestamp commit

  • po: update Russian translation commit

  • po: update Portuguese (Brazil) translation timestamp commit

  • po: update Portuguese translation timestamp commit

  • po: update Polish translation commit

  • po: update Punjabi translation timestamp commit

  • po: update Dutch translation timestamp commit

  • po: update Marathi translation timestamp commit

  • po: update Kannada translation timestamp commit

  • po: update Japanese translation timestamp commit

  • po: update Indonesian translation timestamp commit

  • po: update Hungarian translation timestamp commit

  • po: update Hindi translation timestamp commit

  • po: update French translation commit

  • po: update Basque translation timestamp commit

  • po: update Spanish translation commit

  • po: update English (United Kingdom) translation timestamp commit

  • po: update German translation commit

  • po: update Czech translation timestamp commit

  • po: update Catalan translation timestamp commit

  • po: update Bengali translation timestamp commit

  • po: update ipa.pot template commit

  • Update translation infrastructure commit #8159

  • Keep ipa.pot translation file in git for weblate commit #8159

  • Prevent adding IPA objects as external members of external groups commit #8236

Christian Heimes (5)#

  • po: fix LINGUAS to use whitespace separation commit #8159

  • SELinux: apache_manage_pid_files for F30 commit #8241

  • Add pytest OpenSSH transport with password commit

  • Move freeipa-selinux dependency to freeipa-common commit #6891

  • Integrate ipa_custodia policy commit #6891

François Cami (1)#

  • ipatests: test_replica_promotion.py: test KRA on Hidden Replica commit #8240

Florence Blanc-Renaud (3)#

  • ipatests: wait for SSSD to become online in backup/restore tests commit #8228

  • xmlrpc tests: add a test for idview-apply on a master commit #5662

  • idviews: prevent applying to a master commit #5662

Mohammad Rizwan Yusuf (3)#

  • ipatests: Skip test using paramiko when FIPS is enabled commit

  • Test if schema-compat-entry-attribute is set commit #8193

  • Test if schema-compat-entry-attribute is set commit #8193

Rob Crittenden (4)#

  • Test that pwpolicy only applied on Kerberos entries commit

  • Add ability to change a user password as the Directory Manager commit

  • Don’t save password history on non-Kerberos accounts commit

  • Test that ipa-healthcheck human output translates error strings commit

Stanislav Levin (1)#

  • pki-proxy: Don’t rely on running apache until it’s configured commit #8233

Sergey Orlov (2)#

  • ipatests: provide AD admin password when trying to establish trust commit #7895

  • ipatests: remove test_ordering commit

Serhii Tsymbaliuk (1)#

  • Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239

sumenon (1)#

  • ipatests: Added testcase to check logrotate is added for healthcheck tool commit

Vit Mojzis (1)#

  • selinux: disable ipa_custodia when installing custom policy commit #6891

Contents