The FreeIPA team would like to announce FreeIPA 4.8.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.8.7#
3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.
3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.
7577: [RFE] DNS package check should be called earlier in installation routine
The ``–setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.
7695: ipa service-del should display principal name instead of Invalid ‘principal’.
When deleting services, report exact name of a system required principal that couldn’t be deleted.
8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.
8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica’s roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.
8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.
8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The “Default System Accounts Password Policy” has a minimum password length in case the password is directly modified with LDAP.
8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target’s member principal.
8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.
8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.
8315: [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.
8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.
8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.
There are more than 70 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#3687 (rhbz#913799) [RFE] IPA user account expiry warning.
#3827 [RFE] Expose TTL in web UI
#6474 Remove ipaplatform dependency from ipa modules
#6783 (rhbz#1430365) [RFE] Host-group names command rename
#6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
#6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
#7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine
#7695 (rhbz#1623763) ipa service-del should display principal name instead of Invalid ‘principal’.
#8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log
#8064 Request for IPA CI to enable DS audit/auditfail logging
#8066 (rhbz#1750242) Don’t use -t option to klist in adtrust code when timestamp is not needed
#8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
#8101 Wrong pytest requirement in specfile
#8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
#8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
#8159 please migrate to the new Fedora translation platform
#8163 (rhbz#1782572) “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
#8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles
#8222 Upgrade dojo.js
#8247 test_fips PR-CI templates have a too-short timeout
#8251 [Azure] Catch coredumps
#8254 [Azure] ‘Tox’ task fails against Python3.8
#8261 [ipatests] Integration tests fail on non-firewalld distros
#8262 test_ipahealthcheck needs a higher timeout than 3600
#8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
#8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
#8266 test_webui_server requires a higher timeout than 3600
#8268 Prevent use of too long passwords
#8272 Use /run instead of /var/run
#8273 (rhbz#1834385) Man page syntax issue detected by rpminspect
#8276 Add default password policy for sysaccounts
#8283 Failures and AVCs with OpenDNSSEC 2.1
#8284 Upgrade jQuery version to actual one
#8287 named not starting after #8079, ipa-ext.conf breaks bind
#8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
#8290 API inconsistencies
#8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
#8297 Fix new pylint 2.5.0 warnings and errors
#8298 [WebUI] Cover membership management with UI tests
#8300 Replace uglify-js with python3-rjsmin
#8301 The value of the first character in target* keywords is expected to be a double quote
#8306 Adopt Black code style
#8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
#8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case
#8309 Convert ipaplatform from namespace package to regular package
#8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
#8312 Fix api.env.in_tree detection logic
#8313 Values of api.env.mode are inconsistent
#8315 (rhbz#1833266) [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
#8316 [Azure] Whitelist clock_adjtime syscall
#8317 XML-RCP and CLI tests depend on internal –force option
#8319 Support server referrals for enterprise principals
#8322 [RFE] Changing default hostgroup is too easy
#8323 [Build failure] Race: make po fails on parallel build
#8325 [WebUI] Fix htmlPrefilter issue in jQuery
#8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
#8330 [Azure] Build job fails on `tests` container preparation
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
#8339 [WebUI] User details tab headers don’t show member count when on settings tab
#8348 Allow managed permissions with ldap:///self bind rule
#8349 bind-9.16 and dnssec-enable
#8350 bind-9.16 and DLV
#8352 RPC API crashes when a user is disabled while a session exists
#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
#8358 TTL of DNS record can be set to negative value
#8359 [WebUI] dnsrecord_mod results in JS error
#8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
#8363 DNS config upgrade code fails
Detailed changelog since 4.8.6#
Armando Neto (1)#
prci: update templates for new Fedora release commit
Alexander Bokovoy (35)#
Become FreeIPA 4.8.7 commit
ipa-4-8: update list of contributors commit
ipa-4-8: Update translation files before 4.8.7 release commit
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362
ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357
Web UI: allow users from trusted Active Directory forest manage IPA commit #8335
tests: account for ID overrides as members of groups and roles commit #7255
Support adding user ID overrides as group and role members commit #7255
idviews: handle unqualified ID override lookups from Web UI commit #7255
support using trust-related operations in the server console commit
kdb: handle enterprise principal lookup in AS_REQ commit #8319
azure: do not run test_commands due to failures in low memory cases commit
test_smb: test S4U2Self operation by IPA service commit #8319
ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319
ipa-kdb: add primary group to list of groups in MS-PAC commit #8319
ipa-kdb: Always allow services to get PAC if needed commit #8319
kdb: add minimal server referrals support for enterprise principals commit #8319
ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319
ipa-print-pac: acquire and print PAC record for a user commit #8319
baseldap: de-duplicate passed attributes when checking for limits commit #8328
service delegation: allow to add and remove host principals commit #8289
WebUI: use python3-rjsmin to minify JavaScript files commit #8300
test_smb: test that we can auth as NetBIOS alias commit #8291
kdb: fix memory handling in ipadb_find_principal commit #8291
kdb: initialize flags in ipadb_delete_principal() commit #8291
Azure Pipelines: switch to Fedora 32 commit
Azure Pipelines: Override services known to not work in containers commit
Add pytest.skip_if_container() commit
CVE-2020-1722: prevent use of too long passwords commit #8268
Add ‘api’ and ‘aci’ targets to make commit
Remove Fedora repository fastmirror selection commit
Peter Keresztes Schmidt (10)#
Split named custom config to allow changes in options stanza commit #8287
po: remove zanata config since translation was moved to weblate commit #8159
Specify min and max values for TTL of a DNS record commit #8358
WebUI: Add units to some DNS zone and IPA config fields commit
WebUI: Refresh DNS record data correctly after mod operation commit #8359
WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338
WebUI: Use data adapter to load facet header data commit #8339
Christian Heimes (43)#
Overhaul bind upgrade process commit
Fix named.conf named_conf_include_re commit
Remove named_validate_dnssec update step commit
More upgrade tests commit
Fix named.conf update bug NAMED_DNSSEC_VALIDATION commit #8363
Auto-generated ipa-epn files to gitignore commit
Include named config files in backup commit
Add ipa-print-pac to gitignore commit
Use httpd 2.4 syntax for access control commit
Make ipaplatform a regular top-level package commit #6474, #8309
Fix E721 do not compare types, use ‘isinstance()’ commit #8306
Fix E714 test for object identity should be ‘is not’ commit #8306
Fix E713 test for membership should be ‘not in’ commit #8306
Fix E266 too many leading ‘#’ for block comment commit #8306
Simplify pki proxy conf commit
Make check_required_principal() case-insensitive commit #8308
Add skip_if_platform marker commit
Fix exception escape warning commit
Fix APIVersion.__getnewargs__ commit
François Cami (13)#
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
tox.ini: switch from W503 to W504 commit
ipa-backup: Make sure all roles are installed on the current master. commit #8217
test_backup_and_restore: add server role verification steps commit #8217
ipatests: test ipa-backup with different role configurations. commit #8217
nightly_ipa-4-8_previous.yaml: fix typo commit
Florence Blanc-Renaud (4)#
Francisco Trivino (1)#
prci_definitions: remove test_smb from ipa-4-8 gating workflow commit
Fraser Tweedale (10)#
upgrade: avoid stopping certmonger when fixing requests commit #8186
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure commit #8186
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186
httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186
httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186
certmonger: support dnsname as request search criterion commit #8186
certmonger: move ‘criteria’ description to module docstring commit #8186
Kaleemullah Siddiqui (1)#
Miro Hrončok (1)#
Fix a syntax typo commit
Michal Polovka (2)#
Mohammad Rizwan Yusuf (6)#
ipatests: Test deletion of required principal throws proper error commit #7695
Display principal name while del required principal commit #7695
WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
webui: check if notification area doesn’t intercept menu button commit #8120
ipatests: Test to check password leak in apache error log commit #8017
ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163
Rob Crittenden (12)#
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent commit #3687
IPA-EPN: Add mail-test option for testing sending live email commit #3687
IPA-EPN: Add tests for sending real mail with auth and templates commit #3687
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions commit #3687
Perform baseline healthcheck commit
Sam Morris (1)#
Sergio Oliveira Campos (1)#
Add test for sssd ad trust lookup with dn in certmaprule commit
Stanislav Levin (18)#
Azure: Always update apt cache commit
ipatests: Remove no longer needed ‘skip’ compatibility commit #8101
ipatests: Remove no longer needed ‘capture’ compatibility commit #8101
ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261
Azure: Allow distros to install Python they want commit #8254
Sergey Orlov (10)#
ipatests: mark test_trustdomain_disable test as expectedly failing commit
ipatests: add context manager for declaring part of test as xfail commit
ipatests: add utility for getting sssd version on remote host commit
update prci definitions for test_sssd.py commit
ipatests: add test for sssd behavior with disabled trustdomains commit
ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
ipatests: explicitly save output of certutil commit
ipatests: add AD DC as a DNS forwarder before establishing trust commit
ipatests: add missing classes from test_installation in nightly runs commit
ipatests: run test_integration/test_cert.py in PR-CI commit
Sumedh Sidhaye (2)#
Stasiek Michalski (1)#
Support for SUSE/openSUSE ipaplatform commit
Serhii Tsymbaliuk (6)#
WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325
WebUI tests: Add confirmation step after changing default group in automember tests commit #8322
WebUI: Add confirmation dialog for changing default user/host group commit #8322
WebUI tests: cover membership management with UI tests commit #8298
sumenon (7)#
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066
ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
ipatests: Test for ipahealthcheck.ds.ruv check commit
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit