The FreeIPA team would like to announce FreeIPA 4.8.9 release!

It can be downloaded from Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.9#

  • 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI

  • 7137: [RFE]: Able to browse different links from IPA web gui in new tabs

  • 8129: Tests: Replace paramiko with OpenSSH

    Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( ).

  • 8151: test_commands timing-out

    Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to get debug information if this test fails or stalls again. The test was run 16 times without a failure before re-enabling it.

  • 8189: NIghtly test failure in test_integration/

    Previously, ipa-client-installation saved the pre-install state using “authselect current” command and the uninstallation reverted to the same authselect state. In cases where the system was installed using authconfig instead of authselect, the uninstallation was unable to revert to the same state and picked “sssd“‘s authselect profile instead. Now, the client installation relies on the backup functionality of authselect and is able to revert to the exact pre-install state

  • 8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf

    ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting “ChallengeResponseAuthentication yes” take precedence.

  • 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain

    When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

  • 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn

    EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.

  • 8391: Remove dnf workaround from test_epn.y

    The new PR-CI images are cleaner and do not need the *epn* packages to be uninstalled/reinstalled.

  • 8401: Create platform definitions for freeipa-container

    ipaplatform now provides container platform flavors for freeipa/freeipa-container

  • 8432: test failure in AssertionError

    Sometimes test_login_wrong_password fails because the log window the string message is searched in is too narrow. Broaden the window by looking at the past 10 seconds.

  • 8444: EPN: enhance input validation

    Various input validation checks were added to EPN.

  • 8445: EPN: ‘[Errno 111] Connection refused’ when the SMTP is down

    EPN now displays a proper message if the configured SMTP server cannot be contacted.

  • 8449: EPN: enhance CLI option tests

    EPN: enhance existing tests for –dry-run, –from-nbdays and –to-nbdays.


Known Issues#

Bug fixes#

FreeIPA 4.8.9 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • #5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI

  • #5628 webui: Unclear(UX) purpose of OTP field in password reset form on login

  • #7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs

  • #8129 Tests: Replace paramiko with OpenSSH

  • #8151 test_commands timing-out

  • #8189 (rhbz#1810179) NIghtly test failure in test_integration/

  • #8300 Replace uglify-js with python3-rjsmin

  • #8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf

  • #8326 CVE-2020-10747

  • #8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain

  • #8336 [WebUI] “User attributes for SMB services” section always shown

  • #8364 Nightly test failure while establishing trust: Cannot find specified domain or server name

  • #8366 CA-less replica deployment fails with –setup-ca

  • #8367 IPA-EPN fails to build in ONLY_CLIENT mode

  • #8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts

  • #8369 cert_find returns “CA not configured” in CA-less install

  • #8370 ipa-join does not set nshardwareplatform and nsosversion

  • #8371 Nightly test failure [testing_master_testing] in test_integration/

  • #8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords

  • #8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn

  • #8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall

  • #8379 Nightly test failure [testing_master_pki] while installing CA replica

  • #8381 Nightly test failure in test_webui/

  • #8384 Provide reliable way to know if a server installation is complete

  • #8388 Make help() on plugins more useful

  • #8391 Remove dnf workaround from test_epn.y

  • #8395 selinux don’t audit rules deny fetching trust topology

  • #8396 [WebUI] Font type of “Enabled” column in user search facet wrong

  • #8399 certmonger attempts to add LWCA tracking requests on non-CA server.

  • #8400 sshd template file is installed in a wrong (server) location while used by the client side

  • #8401 Create platform definitions for freeipa-container

  • #8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install

  • #8407 Support changelog integrated into main database

  • #8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock

  • #8413 Nightly test failure in test_integration/

  • #8414 Nightly test failure in test_integration/

  • #8416 [WebUI] Error while adding user ID overrides to group

  • #8419 Azure is reporting a slew of new no-member lint errors

  • #8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)

  • #8428 [ipatests] fails due to new python-cryptography 3.0

  • #8429 Add fips-mode-setup to ipaplatform.paths

  • #8432 test failure in AssertionError

  • #8435 [ipatests] failures due to new Pytest6.0 (pypi part)

  • #8437 unit tests for ipa-extdom-extop are failing in Fedora 33

  • #8439 Nightly test failure in test_integration/

  • #8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate

  • #8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less

  • #8442 [pylint] warnings/errors against pylint 2.5.3

  • #8444 (rhbz#1866291) EPN: enhance input validation

  • #8445 (rhbz#1863079) EPN: ‘[Errno 111] Connection refused’ when the SMTP is down

  • #8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS

  • #8449 (rhbz#1866291) EPN: enhance CLI option tests

  • #8456 Need new aci’s for the new replication changelog entries

  • #8459 [upgrade] handle missing openssh-clients

  • #8461 [ALTLinux] server uninstall error on missing /var/lib/samba

  • #8463 Nightly test failure in

  • #8464 Increase replication changelog trimming interval

Detailed changelog since 4.8.8#

Armando Neto (4)#

  • ipatests: bump pr-ci templates commit

  • ipatests: bump pr-ci templates commit

  • ipatests: bump prci templates commit

  • ipatests: bump prci templates commit

Alexander Bokovoy (10)#

  • Become FreeIPA 4.8.9 commit

  • ipa-4-8: Add new contributors commit

  • ipa-4-8: update po/ipa.pot commit

  • Add alternative email to the mailmap for myself commit

  • extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437

  • selinux: support running ipa-custodia with PrivateTmp=yes commit #8395

  • selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395

  • Get back to git snapshots commit

  • Become FreeIPA 4.8.8 commit

  • VERSION: back to git snapshots commit

Anuja More (5)#

  • ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit

  • ipatests: xfail test with older versions of sssd commit

  • ipatests : Test to verify override_gid works with subdomain. commit

  • ipatests: xfail test with older versions of sssd commit

  • ipatests: Test that trusted AD users should not lose their AD domains. commit

Alexander Scheel (3)#

  • Specify cert_paths when calling PKIConnection commit #8379

  • Configure PKI AJP Secret with 256-bit secret commit #8372

  • Clarify AJP connector creation process commit

Peter Keresztes Schmidt (7)#

  • WebUI: Unify adapter property definition for state evaluators commit #8336

  • WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336

  • Populate nshardwareplatform and nsosversion during join operation commit #8370

  • WebUI: Fix rendering of boolean_status_formatter commit #8396

  • Unify spelling of “One-Time Password” commit

  • WebUI: reword OTP info message displayed during PW reset commit #5628

  • WebUI: move OTP to be the last field in the PW reset form commit #5628

Christian Heimes (17)#

  • Treat container subplatforms like main platform commit #8401

  • Don’t configure authselect in containers commit #8401

  • Convert ipa-httpd-pwdreader into Python script commit #8401

  • Explicitly pass keytab to ipa-join commit

  • Write state dir to smb.conf commit #8401

  • Add ipaplatform for Fedora and RHEL container commit #8401

  • Allow to override ipaplatform with env var commit #8401

  • Teach pylint how dnspython 2.x works commit #8419

  • Add missing SELinux rule for ipa-custodia.sock commit #8412

  • Make tab completion in console more useful commit

  • Add __signature__ to plugins commit #8388

  • SELinux: Backport dirsrv_systemctl interface commit

  • RHEL 8.3 has KRB5 1.18 with KDB 8.0 commit

  • Use old uglifyjs on RHEL 8 commit #8300

  • Build ipa-selinux package on RHEL 8 commit

  • Prevent local account takeover commit #8326

  • Move ipa-epn systemd files and run RPM hooks commit #8367

François Cami (28)#

  • IPA-EPN: enhance input validation commit #8444

  • ipatests: test_epn: update error messages commit #8449

  • IPA-EPN: Fix SMTP connection error handling commit #8445

  • ipatests: test_epn: add test_EPN_connection_refused commit #8445

  • IPA-EPN: fix configuration file typo commit

  • IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit

  • ipatests: test_epn: test_EPN_nbdays enhancements commit #8449

  • ipatests: fix ipa-epn invocation commit #8449

  • ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129

  • ipatests: ui_driver: convert run_cmd_on_ui_host to commit #8129

  • ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129

  • ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129

  • ipatests: test_commands: test_ssh_from_controller: refactor commit #8129

  • ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129

  • ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129

  • tasks: add run_ssh_cmd commit #8129

  • ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432

  • ipatests: test_sss_ssh_authorizedkeys commit #8151

  • ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151

  • ipatests: xfail TestIpaClientAutomountFileRestore’s final test commit #8189

  • ipatests: remove dnf workaround from commit #8391

  • ipatests: display SSSD kdcinfo in commit

  • ipatests: increase test_caless_TestReplicaInstall timeout commit #8377

  • ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374

  • ipatests: check that EPN’s configuration file is installed. commit #8374

  • man pages: fix epn.conf.5 and ipa-epn.1 formatting commit

  • EPN: ship the configuration file. commit #8374

  • .mailmap: add fcami commit

Florence Blanc-Renaud (20)#

  • ipatests: remove xfail from test_dnssec commit

  • ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447

  • ipatests: fix commit #8439

  • ipatests: increase test_trust timeout commit

  • ipatests: check KDC cert permissions in CA less install commit #8440

  • CAless installation: set the perms on KDC cert file commit #8440

  • ipatests: fix test_authselect commit #8189

  • ipatests: remove the xfail for commit #8189

  • ipa-client-install: use the authselect backup during uninstall commit #8189

  • ipatests: Fix TestReplicaPromotionLevel1 commit #8414

  • ipatests: fix TestUnprivilegedUserPermissions commit #8413

  • sshd template must be part of client package commit #8400

  • Bump requires for selinux-policy commit

  • ipatests: fix the method adding ifp to sssd.conf commit #8371

  • Unify spelling of “One-Time Password” (take 2) commit #5628, #8381

  • client install: fix broken sshd config commit #8304

  • ipa-client-install: use sshd drop-in configuration commit #8304

  • ipatests: add a test for ipa-replica-install –setup-ca –http-cert-file commit #8366

  • ipa-replica-install: –setup-ca and *-cert-file are mutually exclusive commit #8366

  • ipatests: fix the disable_dnssec_validation method commit #8364

Fraser Tweedale (5)#

  • certupdate: only add LWCA tracking requests on CA servers commit #8399

  • cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf commit

  • Define errors_by_code in ipalib.errors commit #5011

  • fix iPAddress cert issuance for >1 host/service commit #8368

  • fix cert-find errors in CA-less deployment commit #8369

Jeremy Frasier (2)#

  • replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas commit #8403

  • replica: Ensure the ipaapi user is allowed to access ifp on replicas commit #8403

Kaleemullah Siddiqui (1)#

  • Tests for fake_mname parameter setup commit

Michal Polovka (2)#

  • ipatests: test_epn: test_EPN_config_file: Package name fix commit

  • ipatests: test_epn: Fix package installation commit

Mark Reynolds (3)#

  • Increase replication changelog trimming to 30 days commit #8464

  • Issue 8456 - Add new aci’s for the new replication changelog entries commit #8456

  • Issue 8407 - Support changelog integration into main database commit #8407

Mohammad Rizwan (3)#

  • ipatests: Test certmonger rekey command works fine commit

  • Xfail test for sssd < 2.3.0 commit

  • ipatests: Test ipa user login with wrong password commit

Petr Voborník (2)#

  • baseuser: fix ipanthomedirectorydrive option name commit

  • webui: hide user attributes for SMB services section if empty commit #8336

Rob Crittenden (23)#

  • ipatests: stop the CA during healthcheck expiration test commit #8463

  • Improve performance of ipa-server-guard commit #8425

  • IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit

  • Added negative test case for –list-sources option commit

  • ipatests: CLI validation of ipa-healthcheck command commit

  • IPA-EPN: Test that users without givenname and/or mail are handled commit

  • Address legacy pylint issues in commit #8384

  • Update check_client_configuration to use new client fact commit #8384

  • Don’t use the has_files() to know if client/server is configured commit #8384

  • Create a common place to retrieve facts about an IPA installation commit #8384

  • Simplify determining if IPA client configuration is complete commit #8384

  • Simplify determining if an IPA server installation is complete commit #8384

  • ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441

  • Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441

  • ipatests: Test healthcheck revocation checker commit

  • ipatests: Use healthcheck namespacing in stopped server test commit

  • ipatests: lib389 is now providing healthchecks, update naming commit

  • ipatests: Add healthcheck test for FileSystemSpaceCheck commit

  • ipatests: verify that all services can be detected by healthcheck commit

  • ipatests: Test that healthcheck detects and reports expiration commit

  • ipatests: Test cases for healthcheck File checker(s) commit

  • Replace SSLCertVerificationError with CertificateError for py36 commit

  • Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429

Stanislav Levin (9)#

  • spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit

  • uninstall: Clean up no longer used flag commit #8461

  • uninstall: Don’t fail on missing /var/lib/samba commit #8461

  • rpm-spec: Don’t fail on missing /etc/ssh/ssh_config commit #8459

  • ipatests: Skip keyring tests on containerized platforms commit

  • Azure: Switch to dockerhub provider commit

  • ipatests: Add compatibility against python-cryptography 3.0 commit #8428

  • pylint: Fix warning and error commit #8442

  • ipatests: Don’t turn Pytest IPA deprecation warnings into errors commit #8435

Sergey Orlov (1)#

  • Fix password file permission commit

Serhii Tsymbaliuk (5)#

  • WebUI tests: Add test case to cover user ID override feature commit #8416

  • WebUI: Fix error “unknown command ‘idoverrideuser_add_member’” commit #8416

  • WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137

  • WebUI: Fix issue with opening links in new tab/window commit #7137

  • WebUI: Fix “IPA Error 3007: RequirmentError” while adding idoverrideuser association commit #8335

sumenon (9)#

  • Modified YAML files to include healthcheck externalCA tests commit

  • ipatests: Tests for ipahealthcheck tool with IPA external commit

  • ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit

  • ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit

  • ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit

  • ipatests: Test for ipa-nis-manage CLI tool. commit

  • ipatests: Tests to check profile is displayed for getcert request. commit

  • Modified YAML to include healthcheck IPA-AD trust scenario commit

  • ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit

Zdenek Pytela (1)#

  • Allow ipa-adtrust-install restart sssd and dirsrv services commit