The FreeIPA team would like to announce FreeIPA 4.8.7 release!

It can be downloaded from Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.7#

  • 3687: [RFE] IPA user account expiry warning.

    EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.

  • 3827: [RFE] Expose TTL in web UI

    DNS record time to live (TTL) parameters can be edited in Web UI

  • 6783: [RFE] Host-group names command rename

    host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.

  • 7577: [RFE] DNS package check should be called earlier in installation routine

    The ``–setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.

  • 7695: ipa service-del should display principal name instead of Invalid ‘principal’.

    When deleting services, report exact name of a system required principal that couldn’t be deleted.

  • 8106: ca-certificate file not being parsed correctly on Ubuntu with due to data inserted by FreeIPA Client install

    On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.

  • 8217: RFE: ipa-backup should compare locally and globally installed server roles

    ipa-backup now checks whether the local replica’s roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.

  • 8222: Upgrade dojo.js

    Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.

  • 8268: Prevent use of too long passwords

    Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

  • 8276: Add default password policy for sysaccounts

    cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The “Default System Accounts Password Policy” has a minimum password length in case the password is directly modified with LDAP.

  • 8284: Upgrade jQuery version to actual one

    Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.

  • 8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets

    service delegation rules and targets now allow to specify hosts as a rule or a target’s member principal.

  • 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias

    Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.

  • 8301: The value of the first character in target* keywords is expected to be a double quote

    389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.

  • 8315: [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings

    389-ds introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.

  • 8322: [RFE] Changing default hostgroup is too easy

    In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.

  • 8325: [WebUI] Fix htmlPrefilter issue in jQuery

    CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.

  • 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain

    When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

  • 8348: Allow managed permissions with ldap:///self bind rule

    Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.

  • 8357: Allow managing IPA resources as a user from a trusted Active Directory forest

    A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.

  • 8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp

    LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.


Known Issues#

Bug fixes#

FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 70 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • #3687 (rhbz#913799) [RFE] IPA user account expiry warning.

  • #3827 [RFE] Expose TTL in web UI

  • #6474 Remove ipaplatform dependency from ipa modules

  • #6783 (rhbz#1430365) [RFE] Host-group names command rename

  • #6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing

  • #6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group

  • #7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs

  • #7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine

  • #7695 (rhbz#1623763) ipa service-del should display principal name instead of Invalid ‘principal’.

  • #8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log

  • #8064 Request for IPA CI to enable DS audit/auditfail logging

  • #8066 (rhbz#1750242) Don’t use -t option to klist in adtrust code when timestamp is not needed

  • #8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.

  • #8101 Wrong pytest requirement in specfile

  • #8106 ca-certificate file not being parsed correctly on Ubuntu with due to data inserted by FreeIPA Client install

  • #8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements

  • #8159 please migrate to the new Fedora translation platform

  • #8163 (rhbz#1782572) “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]

  • #8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs

  • #8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates

  • #8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles

  • #8222 Upgrade dojo.js

  • #8247 test_fips PR-CI templates have a too-short timeout

  • #8251 [Azure] Catch coredumps

  • #8254 [Azure] ‘Tox’ task fails against Python3.8

  • #8261 [ipatests] Integration tests fail on non-firewalld distros

  • #8262 test_ipahealthcheck needs a higher timeout than 3600

  • #8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user

  • #8265 [ipatests] `/var/log/ipaupgrade.log` is not collected

  • #8266 test_webui_server requires a higher timeout than 3600

  • #8268 Prevent use of too long passwords

  • #8272 Use /run instead of /var/run

  • #8273 (rhbz#1834385) Man page syntax issue detected by rpminspect

  • #8276 Add default password policy for sysaccounts

  • #8283 Failures and AVCs with OpenDNSSEC 2.1

  • #8284 Upgrade jQuery version to actual one

  • #8287 named not starting after #8079, ipa-ext.conf breaks bind

  • #8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets

  • #8290 API inconsistencies

  • #8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias

  • #8297 Fix new pylint 2.5.0 warnings and errors

  • #8298 [WebUI] Cover membership management with UI tests

  • #8300 Replace uglify-js with python3-rjsmin

  • #8301 The value of the first character in target* keywords is expected to be a double quote

  • #8306 Adopt Black code style

  • #8307 make devcheck fails for test_ipatests_plugins/

  • #8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case

  • #8309 Convert ipaplatform from namespace package to regular package

  • #8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3

  • #8312 Fix api.env.in_tree detection logic

  • #8313 Values of api.env.mode are inconsistent

  • #8315 (rhbz#1833266) [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings

  • #8316 [Azure] Whitelist clock_adjtime syscall

  • #8317 XML-RCP and CLI tests depend on internal –force option

  • #8319 Support server referrals for enterprise principals

  • #8322 [RFE] Changing default hostgroup is too easy

  • #8323 [Build failure] Race: make po fails on parallel build

  • #8325 [WebUI] Fix htmlPrefilter issue in jQuery

  • #8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time

  • #8330 [Azure] Build job fails on `tests` container preparation

  • #8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain

  • #8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call

  • #8339 [WebUI] User details tab headers don’t show member count when on settings tab

  • #8348 Allow managed permissions with ldap:///self bind rule

  • #8349 bind-9.16 and dnssec-enable

  • #8350 bind-9.16 and DLV

  • #8352 RPC API crashes when a user is disabled while a session exists

  • #8357 Allow managing IPA resources as a user from a trusted Active Directory forest

  • #8358 TTL of DNS record can be set to negative value

  • #8359 [WebUI] dnsrecord_mod results in JS error

  • #8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp

  • #8363 DNS config upgrade code fails

Detailed changelog since 4.8.6#

Armando Neto (1)#

  • prci: update templates for new Fedora release commit

Alexander Bokovoy (35)#

  • Become FreeIPA 4.8.7 commit

  • ipa-4-8: update list of contributors commit

  • ipa-4-8: Update translation files before 4.8.7 release commit

  • ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362

  • ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357

  • Web UI: allow users from trusted Active Directory forest manage IPA commit #8335

  • tests: account for ID overrides as members of groups and roles commit #7255

  • Support adding user ID overrides as group and role members commit #7255

  • idviews: handle unqualified ID override lookups from Web UI commit #7255

  • support using trust-related operations in the server console commit

  • kdb: handle enterprise principal lookup in AS_REQ commit #8319

  • azure: do not run test_commands due to failures in low memory cases commit

  • test_smb: test S4U2Self operation by IPA service commit #8319

  • ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319

  • ipa-kdb: cache local TGS in the driver context commit #8319

  • ipa-kdb: add primary group to list of groups in MS-PAC commit #8319

  • ipa-kdb: Always allow services to get PAC if needed commit #8319

  • ipa-kdb: add asserted identity SIDs commit #8319

  • kdb: add minimal server referrals support for enterprise principals commit #8319

  • ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319

  • ipa-print-pac: acquire and print PAC record for a user commit #8319

  • ipa-kdb: add UPN_DNS_INFO PAC structure commit #8319

  • baseldap: de-duplicate passed attributes when checking for limits commit #8328

  • service delegation: allow to add and remove host principals commit #8289

  • WebUI: use python3-rjsmin to minify JavaScript files commit #8300

  • test_smb: test that we can auth as NetBIOS alias commit #8291

  • kdb: fix memory handling in ipadb_find_principal commit #8291

  • kdb: initialize flags in ipadb_delete_principal() commit #8291

  • Azure Pipelines: switch to Fedora 32 commit

  • Azure Pipelines: Override services known to not work in containers commit

  • Add pytest.skip_if_container() commit

  • CVE-2020-1722: prevent use of too long passwords commit #8268

  • Allow rename of a host group commit #6783

  • Add ‘api’ and ‘aci’ targets to make commit

  • Remove Fedora repository fastmirror selection commit

Peter Keresztes Schmidt (10)#

  • Split named custom config to allow changes in options stanza commit #8287

  • util: replace NSS usage with OpenSSL commit #6857

  • util: add unit test for pw hashing commit #6857

  • po: remove zanata config since translation was moved to weblate commit #8159

  • Specify min and max values for TTL of a DNS record commit #8358

  • WebUI: Add units to some DNS zone and IPA config fields commit

  • WebUI: Expose TTL of DNS records commit #3827

  • WebUI: Refresh DNS record data correctly after mod operation commit #8359

  • WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338

  • WebUI: Use data adapter to load facet header data commit #8339

Christian Heimes (43)#

  • Overhaul bind upgrade process commit

  • Fix named.conf named_conf_include_re commit

  • Remove named_validate_dnssec update step commit

  • More upgrade tests commit

  • Fix named.conf update bug NAMED_DNSSEC_VALIDATION commit #8363

  • Auto-generated ipa-epn files to gitignore commit

  • libotp: Replace NSS with OpenSSL HMAC commit #6857

  • Include named config files in backup commit

  • Handle DatabaseError in RPC-Server connect() commit #8352

  • Allow permissions with ‘self’ bindruletype commit #8348

  • make: serialize strip-po / strip-pot commit #8323

  • Remove obsolete BIND named.conf options commit #8349, #8350

  • Add ipa-print-pac to gitignore commit

  • Allow dnsrecord-add –force on clients commit #8317

  • Check for freeipa-server-dns package early commit #7577

  • Hard-code in_tree=True for tests commit #8317

  • Fix detection logic for api.env.in_tree commit #8312

  • Make api.env.mode consistent commit #8313

  • Disable password schema update on LDAP bind commit #8315

  • Use httpd 2.4 syntax for access control commit

  • Fix make devcheck commit #8307

  • Make ipaplatform a regular top-level package commit #6474, #8309

  • Reconfigure pycodestyle commit #8306

  • Manually reformat ipapython/ commit #8306

  • Silence W601 .has_key() is deprecated commit #8306

  • Fix E722 do not use bare ‘except’ commit #8306

  • Fix E721 do not compare types, use ‘isinstance()’ commit #8306

  • Fix E714 test for object identity should be ‘is not’ commit #8306

  • Fix E713 test for membership should be ‘not in’ commit #8306

  • Fix E712 comparison to True / False commit #8306

  • Fix E711 comparison to None commit #8306

  • Fix E266 too many leading ‘#’ for block comment commit #8306

  • Simplify pki proxy conf commit

  • Make check_required_principal() case-insensitive commit #8308

  • Address issues found by new pylint 2.5.0 commit #8297

  • Add skip_if_platform marker commit

  • Define default password policy for sysaccounts commit #8276

  • Use api.env.container_sysaccounts commit #8276

  • Fix exception escape warning commit

  • Fix APIVersion.__getnewargs__ commit

  • servrole: takes_params must be a tuple commit #8290

  • Fix various OpenDNSSEC 2.1 issues commit #8283

  • Use /run and /run/lock instead of /var commit #8272

François Cami (13)#

  • IPA-EPN: Test suite. commit #3687

  • IPA-EPN: First version. commit #3687

  • ipatests: add KRB5_TRACE to kinit in commit

  • add krb5_trace to create_active_user and kinit_as_user commit

  • tox.ini: switch from W503 to W504 commit

  • ipatests: increase test_webui_server timeout commit #8266

  • ipatests: increase test_ipahealthcheck timeout commit #8262

  • ipatests: move ipa_backup to tasks commit #8217

  • ipa-backup: Make sure all roles are installed on the current master. commit #8217

  • test_backup_and_restore: add server role verification steps commit #8217

  • ipatests: test ipa-backup with different role configurations. commit #8217

  • nightly_ipa-4-8_previous.yaml: fix typo commit

  • pr-ci templates: update test_fips timeouts commit #8247

Florence Blanc-Renaud (4)#

  • ipatests: Check if user with ‘User Administrator’ role can delete group. commit #6884

  • ipatests: enable 389-ds audit log and collect audit file commit #8064

  • ipa-advise: fallback to /usr/libexec/platform-python if python3 not found commit #8311

  • Man pages: fix syntax issues commit #8273

Francisco Trivino (1)#

  • prci_definitions: remove test_smb from ipa-4-8 gating workflow commit

Fraser Tweedale (10)#

  • upgrade: avoid stopping certmonger when fixing requests commit #8186

  • httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure commit #8186

  • ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186

  • upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186

  • httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186

  • cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186

  • httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186

  • certmonger: support dnsname as request search criterion commit #8186

  • certmonger: move ‘criteria’ description to module docstring commit #8186

  • certmonger: avoid mutable default argument commit #8186

Kaleemullah Siddiqui (1)#

  • Test for check of HostKeyAlgorithms option in ssh_config commit #8082

Miro Hrončok (1)#

Michal Polovka (2)#

  • Test for healthcheck being run on replica with stopped master commit

  • Test for output being indented by default value if not stated implicitly. commit

Mohammad Rizwan Yusuf (6)#

  • ipatests: Test deletion of required principal throws proper error commit #7695

  • Display principal name while del required principal commit #7695

  • WebUI tests: fix PEP8 issues in test_webui/ commit

  • webui: check if notification area doesn’t intercept menu button commit #8120

  • ipatests: Test to check password leak in apache error log commit #8017

  • ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163

Rob Crittenden (12)#

  • IPA-EPN: Don’t treat givenname differently commit #3687

  • IPA-EPN: add test to validate smtp_delay value commit #3687

  • IPA-EPN: add smtp_delay to limit the velocity of e-mails sent commit #3687

  • IPA-EPN: Add tests for –mail-test option commit #3687

  • IPA-EPN: Add mail-test option for testing sending live email commit #3687

  • IPA-EPN: test using SSL against port 465 commit #3687

  • IPA-EPN: Add test for starttls mode commit #3687

  • IPA-EPN: Add tests for sending real mail with auth and templates commit #3687

  • IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions commit #3687

  • Add index for krbPasswordExpiration for EPN commit #3687

  • Add a jinja2 e-mail template for EPN commit #3687

  • Perform baseline healthcheck commit

Sam Morris (1)#

  • Debian: write out only one CA certificate per file commit #8106

Sergio Oliveira Campos (1)#

  • Add test for sssd ad trust lookup with dn in certmaprule commit

Stanislav Levin (18)#

  • Azure: Make dnf repos consistent commit #8330

  • Azure: Always update apt cache commit

  • Azure: Allow chronyd to sync time commit #8316

  • Azure: Add custom seccomp profile commit #8316

  • Azure: Increase memory limit commit #8264

  • ipatests: Collect all logs on all Unix hosts commit #8265

  • ipatests: Pretty print multihost config commit #8265

  • ipatests: Cleanup ‘collect_logs’ decorator commit #8265

  • ipatests: Specify shell implementation commit #8101

  • ipatests: Specify Pytest XML report schema commit #8101

  • ipatests: Remove no longer needed ‘skip’ compatibility commit #8101

  • ipatests: Remove no longer needed ‘capture’ compatibility commit #8101

  • ipatests: Remove no longer needed ‘get_marker’ commit #8101

  • ipatests: Remove deprecated yield_fixture commit #8101

  • ipatests: Bump required Pytest commit #8101

  • ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261

  • Azure: Gather coredumps commit #8251

  • Azure: Allow distros to install Python they want commit #8254

Sergey Orlov (10)#

  • ipatests: mark test_trustdomain_disable test as expectedly failing commit

  • ipatests: add context manager for declaring part of test as xfail commit

  • ipatests: add utility for getting sssd version on remote host commit

  • update prci definitions for commit

  • ipatests: add test for sssd behavior with disabled trustdomains commit

  • ipatests: run all cases from test_integration/ in nightlies commit

  • ipatests: explicitly save output of certutil commit

  • ipatests: add AD DC as a DNS forwarder before establishing trust commit

  • ipatests: add missing classes from test_installation in nightly runs commit

  • ipatests: run test_integration/ in PR-CI commit

Sumedh Sidhaye (2)#

  • Test for removing a subgroup commit

  • Test to check if Certmonger tracks certs in between reboots/interruptions and while in “CA_WORKING” state commit #8164

Stasiek Michalski (1)#

  • Support for SUSE/openSUSE ipaplatform commit

Serhii Tsymbaliuk (6)#

  • WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325

  • WebUI tests: Add confirmation step after changing default group in automember tests commit #8322

  • WebUI: Add confirmation dialog for changing default user/host group commit #8322

  • WebUI tests: cover membership management with UI tests commit #8298

  • Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1 commit #8284

  • Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2 commit #8222

sumenon (7)#

  • ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit

  • ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit

  • ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit

  • ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066

  • ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit

  • ipatests: Test for ipahealthcheck.ds.ruv check commit

  • Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit

Timo Aaltonen (4)#

  • ipatests/test_installation: Use knownservices to map the service name. commit

  • ipatests/test_commands: Check sssd version like on test_sssd commit

  • Debian: Use parse_ipa_version from redhat. commit

  • Debian: Use enable/disable_ldap_automount() from base commit

Viktor Ashirov (1)#