Ctrl+K

Highlights in 4.9.0 release candidate 2

The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 2!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora Rawhide will be available from the official repository soon.

We are not planning producing builds of release candidates for the Fedora 32/33 at this moment. Final FreeIPA 4.9.0 release might be produced for Fedora 33 depending on upgrade test results.

Highlights in 4.9.0 release candidate 2#

Bug fixes#

FreeIPA 4.9.0 release candidate 2 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 10 bug-fixes since FreeIPA 4.9.0 release candidate 1. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #3299 [RFE] Switch the client to JSON RPC

  • #7534 (rhbz#1569011) Investigate failures to restore 389-ds attriubtes on upgrade failure

  • #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration

  • #7975 Accept 389-ds JSON replication status messages

  • #8424 Add ipa.p11-kit to ipa-client-install man page files list

  • #8514 (rhbz#1885126) Nightly failure (enforcing mode) in test_acme.py::TestACME::test_mod_md

  • #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system

  • #8531 RFE: Use host keytab to obtain ticket for ipa-certupdate

  • #8545 (rhbz#1869605) KRA Transport and Storage Certificates do not renew

  • #8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes

  • #8581 Nightly test failure in test_acme.py::TestACME::test_third_party_certs (updates-testing)

  • #8587 client-only build fails due to unconditional use of pwquality features

  • #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures

  • #8590 Nightly test failure in test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default::setup

  • #8595 Allow ipa-ca as a name for an IPA server

  • #8597 (rhbz#1901068) Traceback while doing ipa-backup

  • #8601 Nightly test failure in test_trust.py::TestTrust::test_subordinate_suffix

  • #8603 (rhbz#1902727) ipa-acme-manage enable fails after upgrade

Detailed changelog since 4.9.0rc1#

Armando Neto (1)#

  • ipatests: Bump PR-CI templates commit

Alexander Bokovoy (5)#

  • Become FreeIPA 4.9.0rc2 commit

  • Update contributors commit

  • freeipa.spec.in: unify spec files across upstream RHEL, and Fedora commit

  • ad trust: accept subordinate domains of the forest trust root commit #8554

  • util: Fix client-only build commit #8587

Antonio Torres Moríñigo (1)#

  • ipa-client-install manpage: add ipa.p11-kit to list of files created commit #8424

Florence Blanc-Renaud (2)#

  • ipatests: fix TestTrust::test_subordinate_suffix commit #8601

  • Always define the path DNSSEC_OPENSSL_CONF commit #8597

Mark Reynolds (1)#

  • Accept 389-ds JSON replication status messages commit #7975

Mohammad Rizwan (1)#

  • ipatests: Test certmonger IPA responder switched to JSONRPC commit #3299

Rob Crittenden (25)#

  • Skip the ACME mod_md test when the client is in enforcing mode commit #8514

  • Increase timeout for krbtpolicy to 4800 commit #8589

  • Enable the ccache sweep systemd timer commit #8589

  • ipatests: test that stale caches are removed using the sweeper commit #8589

  • Generate a unique cache for each connection commit #8589

  • Convert reset_to_default_policy into a pytest fixture commit #8589

  • VERSION: back to git snapshots commit

  • ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect commit #8595

  • Allow Apache to answer to ipa-ca requests without a redirect commit #8595

  • Move where the restore state is marked during IPA server upgrade commit #7534

  • Reorder when ACME is enabled to fix failure on upgrade commit #8603

  • Remove test for minimum ACME support and rely on package deps commit

  • Require PKI 10.10+ for KRA profile and ACME support commit #8524, #8545

  • Test that the KRA profiles can renewal its three certificates commit #8545

  • Change KRA profiles in certmonger tracking so they can renew commit #8545

  • ipatests: Increase timeout for ACME in gating.yaml commit #8581

  • ipatests: honor class inheritance in TestACMEwithExternalCA commit #8581

  • ipatests: configure MDStoreDir for mod_md ACME test commit #8581

  • ipatests: Clean up existing ACME registration and certs commit #8581

  • ipatests: Configure a replica in TestACMEwithExternalCA commit #8581

  • ipatests: call the CALess install method to generate the CA commit #8581

  • ipatests: Test that Match ProxyCommand masks on no shell exec commit #7676

  • Create IPA ssh client configuration and move ProxyCommand commit #7676

  • ipatests: Test that ipa-certupdate can run without credentials commit #8531

  • Use host keytab to obtain credentials needed for ipa-certupdate commit #8531

Robbie Harwood (1)#

Sudhir Menon (2)#

  • ipatests: support subordinate upn suffixes commit

  • ipatests: Tests for ipahealthcheck.ds.nss_ssl commit

Contents