The FreeIPA team would like to announce FreeIPA 4.8.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.8.7#
3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.
3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.
7577: [RFE] DNS package check should be called earlier in installation routine
The ``–setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.
7695: ipa service-del should display principal name instead of Invalid ‘principal’.
When deleting services, report exact name of a system required principal that couldn’t be deleted.
8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.
8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica’s roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.
8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.
8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The “Default System Accounts Password Policy” has a minimum password length in case the password is directly modified with LDAP.
8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target’s member principal.
8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.
8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.
8315: [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
389-ds 18.104.22.168 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.
8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.
8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.
FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.
There are more than 70 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://email@example.com/) or #freeipa channel on Freenode.
#3827 [RFE] Expose TTL in web UI
#6474 Remove ipaplatform dependency from ipa modules
#6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
#8064 Request for IPA CI to enable DS audit/auditfail logging
#8101 Wrong pytest requirement in specfile
#8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
#8159 please migrate to the new Fedora translation platform
#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
#8222 Upgrade dojo.js
#8247 test_fips PR-CI templates have a too-short timeout
#8251 [Azure] Catch coredumps
#8254 [Azure] ‘Tox’ task fails against Python3.8
#8261 [ipatests] Integration tests fail on non-firewalld distros
#8262 test_ipahealthcheck needs a higher timeout than 3600
#8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
#8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
#8266 test_webui_server requires a higher timeout than 3600
#8268 Prevent use of too long passwords
#8272 Use /run instead of /var/run
#8276 Add default password policy for sysaccounts
#8283 Failures and AVCs with OpenDNSSEC 2.1
#8284 Upgrade jQuery version to actual one
#8287 named not starting after #8079, ipa-ext.conf breaks bind
#8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
#8290 API inconsistencies
#8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
#8297 Fix new pylint 2.5.0 warnings and errors
#8298 [WebUI] Cover membership management with UI tests
#8300 Replace uglify-js with python3-rjsmin
#8301 The value of the first character in target* keywords is expected to be a double quote
#8306 Adopt Black code style
#8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
#8309 Convert ipaplatform from namespace package to regular package
#8312 Fix api.env.in_tree detection logic
#8313 Values of api.env.mode are inconsistent
#8316 [Azure] Whitelist clock_adjtime syscall
#8317 XML-RCP and CLI tests depend on internal –force option
#8319 Support server referrals for enterprise principals
#8322 [RFE] Changing default hostgroup is too easy
#8323 [Build failure] Race: make po fails on parallel build
#8325 [WebUI] Fix htmlPrefilter issue in jQuery
#8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
#8330 [Azure] Build job fails on `tests` container preparation
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
#8339 [WebUI] User details tab headers don’t show member count when on settings tab
#8349 bind-9.16 and dnssec-enable
#8350 bind-9.16 and DLV
#8352 RPC API crashes when a user is disabled while a session exists
#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
#8358 TTL of DNS record can be set to negative value
#8359 [WebUI] dnsrecord_mod results in JS error
#8363 DNS config upgrade code fails
Detailed changelog since 4.8.6#
Armando Neto (1)#
prci: update templates for new Fedora release commit
Alexander Bokovoy (35)#
Become FreeIPA 4.8.7 commit
ipa-4-8: update list of contributors commit
ipa-4-8: Update translation files before 4.8.7 release commit
support using trust-related operations in the server console commit
azure: do not run test_commands due to failures in low memory cases commit
Azure Pipelines: switch to Fedora 32 commit
Azure Pipelines: Override services known to not work in containers commit
Add pytest.skip_if_container() commit
Add ‘api’ and ‘aci’ targets to make commit
Remove Fedora repository fastmirror selection commit
Peter Keresztes Schmidt (10)#
WebUI: Add units to some DNS zone and IPA config fields commit
Christian Heimes (43)#
Overhaul bind upgrade process commit
Fix named.conf named_conf_include_re commit
Remove named_validate_dnssec update step commit
More upgrade tests commit
Auto-generated ipa-epn files to gitignore commit
Include named config files in backup commit
Add ipa-print-pac to gitignore commit
Use httpd 2.4 syntax for access control commit
Simplify pki proxy conf commit
Add skip_if_platform marker commit
Fix exception escape warning commit
Fix APIVersion.__getnewargs__ commit
François Cami (13)#
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
tox.ini: switch from W503 to W504 commit
nightly_ipa-4-8_previous.yaml: fix typo commit
Florence Blanc-Renaud (4)#
Francisco Trivino (1)#
prci_definitions: remove test_smb from ipa-4-8 gating workflow commit
Fraser Tweedale (10)#
Kaleemullah Siddiqui (1)#
Miro Hrončok (1)#
Fix a syntax typo commit
Michal Polovka (2)#
Mohammad Rizwan Yusuf (6)#
WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
Rob Crittenden (12)#
Perform baseline healthcheck commit
Sam Morris (1)#
Sergio Oliveira Campos (1)#
Add test for sssd ad trust lookup with dn in certmaprule commit
Stanislav Levin (18)#
Azure: Always update apt cache commit
Sergey Orlov (10)#
ipatests: mark test_trustdomain_disable test as expectedly failing commit
ipatests: add context manager for declaring part of test as xfail commit
ipatests: add utility for getting sssd version on remote host commit
update prci definitions for test_sssd.py commit
ipatests: add test for sssd behavior with disabled trustdomains commit
ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
ipatests: explicitly save output of certutil commit
ipatests: add AD DC as a DNS forwarder before establishing trust commit
ipatests: add missing classes from test_installation in nightly runs commit
ipatests: run test_integration/test_cert.py in PR-CI commit
Sumedh Sidhaye (2)#
Stasiek Michalski (1)#
Support for SUSE/openSUSE ipaplatform commit
Serhii Tsymbaliuk (6)#
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
ipatests: Test for ipahealthcheck.ds.ruv check commit
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit